All Techniques
Initial Access
Lateral Movement
Privilege Escalation
Impact
Related to Tech
Defenses
Name | Tags | Incidents | ATT&CK Tactic | Tech | Status |
|---|---|---|---|---|---|
Cloud | Credential Access (TA0006) | Stub | |||
Cloud | Discovery (TA0007) | Stub | |||
CI/CD | Stub | ||||
Cloud | LAPSUS$ campaigns | Lateral Movement (TA0008) | Stub | ||
K8s | Kiss-A-Dog campaignOracleIV campaign | Initial Access (TA0001) | Docker | Stub | |
AAD | APT29 targeting Microsoft 365 | Lateral Movement (TA0008) | Stub | ||
Cloud | Persistence (TA0003) | Stub | |||
Cloud | Initial Access (TA0001) | AWS Appstream | Stub | ||
DangerDev SES abuse incidentFrom refresh token theft to global admin | Stub | ||||
AAD | APT29 targeting Microsoft 365 | Lateral Movement (TA0008) | Stub | ||
AAD | APT29 targeting Microsoft 365Solarigate: Solarwinds supply chain attackPeach Sandstorm targeting Azure | Lateral Movement (TA0008)Credential Access (TA0006) | Finalized | ||
CloudAAD | Stealing the LIGHTSHOW | Stub | |||
Cloud | Peach Sandstorm targeting Azure | Persistence (TA0003)Execution (TA0002) | Azure Arc | Stub | |
Cloud | Cryptojacking via Azure Batch | Azure Batch | Stub | ||
CloudAAD | Persistence (TA0003) | Stub | |||
CloudAAD | Lateral Movement (TA0008) | Stub | |||
Cloud | Scattered Spider Azure Run abuse | Execution (TA0002) | Stub | ||
Cloud | Initial Access (TA0001) | Stub | |||
K8s | AmberSquid campaigneBPF Rootkit Targeting AWS and Linux Environments | Initial Access (TA0001) | Docker | Stub | |
Cloud | Initial Access (TA0001) | Stub | |||
Cloud | Initial Access (TA0001) | AWS Lambda | Stub | ||
LinuxWindows | Persistence (TA0003) | Stub | |||
Windows | Agenda Ransomware Targets ESXi and vCenter ServersCrazyHunter Ransomware Group Targets Critical Sectors in Taiwan | Execution (TA0002)Privilege Escalation (TA0004) | Stub | ||
CloudRansomware | BlackCat Azure Storage Account RansomOpCodefinger Ransomware Campaign Targeting S3 Buckets | Impact (TA0040) | Stub | ||
Cloud | Initial Access (TA0001) | Stub | |||
App Misconfig. | Reconnaissance (TA0043)Credential Access (TA0006) | cAdvisor | Stub | ||
CI/CD | Discovery (TA0007) | Stub | |||
Supply Chain Risk in Axis Autodesk Revit Plugin Due to Exposed Azure Storage Credentials | Not started | ||||
Phishing campaign leading to Azure account takeover | Not started | ||||
Cloud | Leaked long-lived AWS credsLAPSUS$ campaignsDangerDev SES abuse incidentMuddled Libra campaigns (2024)LLMjacking via Laravel exploitationS3 RansomOp following long-term key exposureScylla LLMJacking campaignScattered Spider targeting Azure environment | Reconnaissance (TA0043) | Stub | ||
CloudK8s | Kiss-A-Dog campaignScarletEel campaign (Feb ‘23)RBAC BusterMisconfigured firewall to cryptojacking botnetScarletEel campaign (July ‘23)EleKtra-LeakLabrat GitLab campaignAmberSquid campaignDangerDev SES abuse incidentECS Fargate cryptojackingDero cryptojacking targeting K8sDERO cryptojacking campaign (2024)SeleniumGreed: Threat actors exploit exposed Selenium Grid services for CryptominingConfluence exploited for cryptojackingREF6138 campaignUltralytics compromiseKong image compromiseUSAID cryptojacking incidentSysrv Apache Druid cryptojackingLucifer Apache Druid cryptojacking | Impact (TA0040) | Featured | ||
Apple cloud key exposureBMW exposed cloud storageZenlayer exposed databaseFrom social engineering to cryptocurrency theft Football Australia exposed cloud keyAbusing management tooling for cloud accessPersonal local drive to AWS ransomwareThird party to cloud compromiseScylla LLMJacking campaignAttack abusing Amazon SESFrom social engineering to Lambda modificationJavaGhost SES abuseCompromised cloud keys exfiltrated to bucket | Credential Access (TA0006) | Stub | |||
Cloud | Impact (TA0040) | Finalized | |||
Third party to cloud compromiseSmishing into Entra onto VMWare ransomwareStorm-0501 attacking hybrid environments with ransomwareUNC2165 Targets Hybrid Environments with Ransomware | Not started | ||||
Cloud | Persistence (TA0003) | Stub | |||
K8s | RBAC Buster | Initial Access (TA0001) | Stub | ||
From social engineering to Lambda modification | Not started | ||||
K8s | Commando Cat campaign | Discovery (TA0007) | Stub | ||
Cloud | Initial Access (TA0001) | Stub | |||
Cloudflare incident following Okta breachEarth Lamia Custom Toolkit Targets Multiple Sectors via Web Vulnerabilities | Stub | ||||
Cloud | RBAC BusterSIM-Swap to Data Leak on Dark WebDangerDev SES abuse incidentS3 data exfiltrationLeaked long-lived AWS credsScarletEel campaign (Feb ‘23)ScarletEel campaign (July ‘23)S3 RansomOp following long-term key exposureScattered Spider SaaS targeting (2023)Phishing campaign leading to Azure account takeoverFrom stolen cloud key to persistence-as-a-serviceGENESIS PANDA's Cloud Intrusions: Persistent Control Plane Exploitation and Access BrokerageTruffleNet Campaign Exploits AWS SES for Large-Scale Cloud Abuse and BEC Fraud | Persistence (TA0003) | Stub | ||
LinuxWindows | Commando Cat campaign | Persistence (TA0003) | Stub | ||
From refresh token theft to global admin | Persistence (TA0003)Credential Access (TA0006) | Stub | |||
Cosmic Wolf cloud activityDangerDev SES abuse incidentFrom password reset to data exfiltrationScattered Spider targeting GCP environmentEC2 Grouper campaign | Defense Evasion (TA0005) | Stub | |||
SilentBob cryptomining campaignQubitstrike Crypto Mining and Rootkit CampaignCommando Cat campaignCRYSTALRAY: threat actors exploiting OSS toolsScattered Spider targeting GCP environmentOperation WindigoGelsemium’s Shift to Linux Malware with WolfsBane and FireWoodPlague PAM-Based Backdoor for LinuxDripDropper Malware Exploits Patched Apache ActiveMQ for Persistence on Cloud Linux SystemseBPF Rootkit Targeting AWS and Linux EnvironmentsUnauthenticated Remote Access via Triofox Vulnerability Exploited by UNC6485Cryptomining Campaign Exploiting Exposed Ray AI Infrastructure | Persistence (TA0003) | Stub | |||
Otelier data breachShai-Hulud 2.0 Supply Chain Attack | Not started | ||||
CI/CD | SIM-Swap to Data Leak on Dark WebEleKtra-LeakSisense breachRabbit AI exposed keys in codeMercedes-Benz source code exposureShinyHunters Ransomware Targeting Cloud Environmentstj-actions/changed-files supply chain attackZapier data breachxAI leaked API keyGhostAction campaignShai-Hulud: Ongoing Package Supply Chain Compromise Delivering Data-Stealing MalwareShai-Hulud 2.0 Supply Chain Attack | Credential Access (TA0006) | Stub | ||
CloudLinux | Fast Company incidentNew Relic incident (November 2023) | Initial Access (TA0001) | Stub | ||
SilentBob cryptomining campaignQubitstrike Crypto Mining and Rootkit CampaignLAPSUS$ campaignsFBot toolkit targets cloud environmentsCommando Cat campaignFrom S3 bucket to Jenkins credential dumpAffirmed Networks breachLLMjacking via Laravel exploitationAtlas Lion phishing campaignSmishing into Entra onto VMWare ransomwareScattered Spider SaaS targeting (2024)CRYSTALRAY: threat actors exploiting OSS toolsRansomware operators exploit ESXi vulnerabilityScattered Spider Abuses Cloud Management AgentShinyHunters Ransomware Targeting Cloud EnvironmentsExtortion Campaign Exploiting Exposed Environment VariableAPT29 Targeting Zimbra and TeamCity ServersEarth Simnavaz (APT34) Targeting UAE and Gulf RegionsUNC5820 exploiting FortiManager flawBrowserStack Data BreachDropbox Github breachMozi Botnet Using AndroxGh0st Toolkit to Target Cloud EnvironmentsSharePoint Vulnerability Exploited in-the-WildEarth Kasha’s Campaign Exploiting Fortinet VulnerabilityVolkswagen data leak through Spring Boot Actuator misconfigurationPhishing campaign leading to Azure account takeoverStorm-0501 attacking hybrid environments with ransomwareBapak Exploiting Stolen Cloud Access KeysTRIPLESTRENGTH: Cloud Account Hijacking and Cryptocurrency Mining via Stolen CredentialsSeashell Blizzard Subgroup's Campaign Exploiting Vulnerabilities for Data ExfiltrationRevivalStone Campaign by WinntiZapier data breachWeaver Ant data exfiltration campaignAtlas Lion Campaign Exploits Device Enrollment and MFA for PersistenceGrafana GitHub Action attempted supply chain attackRspack supply chain attackUNC5174 Exploits Ivanti CSA Zero-Days in “Houken” CampaignAzure Account Hijack via Stolen TokensAWS CodeBuild Vulnerability Allows Build Process Secrets ExtractionUAT-7237 Targets Taiwanese Web Infrastructure Using Customized Open-Source ToolsGENESIS PANDA's Cloud Intrusions: Persistent Control Plane Exploitation and Access BrokerageCompromised Salesloft Drift Tokens Enable Data Theft Across IntegrationsGhostAction campaignShai-Hulud: Ongoing Package Supply Chain Compromise Delivering Data-Stealing MalwareBRICKSTORM Espionage Backdoor Targeting U.S. Tech and Legal SectorsIIS Backdoor Exploiting Exposed ASP.NET Machine KeysTruffleNet Campaign Exploits AWS SES for Large-Scale Cloud Abuse and BEC FraudCisco ISE Vulnerability Exploited as 0day by APTCryptomining Campaign Exploiting Exposed Ray AI InfrastructureShai-Hulud 2.0 Supply Chain Attack | Credential Access (TA0006) | Stub | |||
From PHP exploitation to AWS lateral movementCoinStomp campaignFrom PHP vuln to Sliver execution via cronDiicot Campaign Targeting Exposed SSHMexals cryptojacking campaignCPU_HU: Malicious Campaign Targeting Misconfigured PostgreSQL Servers for CryptominingUNC5174 Linux Espionage CampaignCryptomining Campaign Exploiting Exposed Ray AI Infrastructure | Persistence (TA0003) | Stub | |||
Cryptomining Campaign Exploiting Exposed Ray AI Infrastructure | Not started | ||||
Network | fsevents supply chain attackMasterCard Fixes Five-Year-Old DNS Typo MisconfigurationCDC dangling domain hijack | Resource Development (TA0042) | Stub | ||
S3 data exfiltrationS3 ransomware scam | Stub | ||||
Ransomware | DarkRadiation campaign | Impact (TA0040) | Stub | ||
Horde Panda targeting South Asian telecommunications provider | Not started | ||||
REF6138 campaignLangflow Vulnerability Exploited to Deliver Flodrix Botnet | Not started | ||||
Scattered Spider targeting GCP environment | Not started | ||||
Not started | |||||
UNC2165 Targets Hybrid Environments with Ransomware | Not started | ||||
Cloud | Ubiquiti incidentScarletEel campaign (Feb ‘23)ScarletEel campaign (July ‘23)Cloud lateral movement via Citrix cookieAPT29 targeting Microsoft 365 | Defense Evasion (TA0005) | Stub | ||
Network | Fast Company incident | Discovery (TA0007) | Stub | ||
DarkRadiation campaign | Impact (TA0040) | Stub | |||
Execution (TA0002) | Stub | ||||
Earth Kasha’s Campaign Exploiting Fortinet VulnerabilityEarth Preta’s Campaign Abusing MAVInject to Bypass Detection | Not started | ||||
Msupedge Backdoor Targeting Taiwanese UniversityeBPF Rootkit Targeting AWS and Linux Environments | Not started | ||||
Denonia campaign | Command and Control (TA0011) | Stub | |||
DangerDev SES abuse incident | Stub | ||||
Smishing into Entra onto VMWare ransomware | Not started | ||||
New Relic incident (November 2023) | Stub | ||||
Supply Chain | Cyber Toufan Linux destruction | Impact (TA0040) | Microsoft Exchange | Stub | |
Cloud | Cloud lateral movement via Citrix cookieAWS Breach at a SaaS CompanyIIS Backdoor Exploiting Exposed ASP.NET Machine Keys | Defense Evasion (TA0005) | Stub | ||
Linux | Gin Docker cryptojacking campaign | Privilege Escalation (TA0004) | Stub | ||
DangerDev SES abuse incident | Stub | ||||
Execution (TA0002) | Stub | ||||
Cloud | Muddled Libra campaigns (2024) | Exfiltration (TA0010) | Stub | ||
Cloud | Muddled Libra campaigns (2024) | Exfiltration (TA0010) | Stub | ||
K8s | Privilege Escalation (TA0004) | Stub | |||
K8s | Kiss-A-Dog campaignDoki cryptojacking campaign | Privilege Escalation (TA0004) | Stub | ||
Cloud | Exfiltration (TA0010) | Stub | |||
ComfyUI exploitation campaign | Not started | ||||
DepositFiles exposed config fileAndroxGh0st usage (2024) | Initial Access (TA0001) | Stub | |||
EMERALDWHALE Attacks Targeting Exposed Git Config FilesGame Freak data leak | Credential Access (TA0006)Reconnaissance (TA0043) | Stub | |||
Not started | |||||
AWS Network Exploitation and Ransomware DetonationGENESIS PANDA's Cloud Intrusions: Persistent Control Plane Exploitation and Access BrokerageeBPF Rootkit Targeting AWS and Linux Environments | Not started | ||||
Cloud | Credential Access (TA0006)Lateral Movement (TA0008) | Stub | |||
Meow database server campaign | Initial Access (TA0001) | Stub | |||
Atlas Lion phishing campaign | Not started | ||||
Node.js repository CI/CD vulnerable to RCE | Not started | ||||
Network | Commando Cat campaign | Command and Control (TA0011) | Stub | ||
CloudAuthentication | Cryptomining Campaign Exploiting Exposed Ray AI Infrastructure | Privilege Escalation (TA0004) | Stub | ||
Larva-25003: IIS Native Module Malware Used in Targeted Web Server AttacksIIS Backdoor Exploiting Exposed ASP.NET Machine Keys | Not started | ||||
Supply ChainK8s | Initial Access (TA0001) | Stub | |||
Cloud | ScarletEel campaign (Feb ‘23)ScarletEel campaign (July ‘23)SilentBob cryptomining campaignFrom PHP exploitation to AWS lateral movementMisconfigured firewall to cryptojacking botnetCapital One incident (March 2019)UNC2903 campaignsSQL Server to cloud lateral movementFrom PHP vuln to Sliver execution via cronFrom web app exploitation to Chisel tunnelingCommando Cat campaignHugging Face cross-tenant accessUS DoD NIPRNet access via Atlassian SSRFGENESIS PANDA's Cloud Intrusions: Persistent Control Plane Exploitation and Access Brokerage | Credential Access (TA0006) | Featured | ||
Privilege Escalation (TA0004) | Stub | ||||
Not started | |||||
Stealing the LIGHTSHOW | Execution (TA0002)Persistence (TA0003) | Stub | |||
Cloudflare incident following Okta breach | Stub | ||||
App Misconfig. | Jupyter Notebook cred harvesting campaignMeow Jupyter Notebook campaignPanamorfi campaignSports Piracy Exploiting Misconfigured Jupyter ServersExposed Jupyter Notebooks Targeted for Cryptomining | Initial Access (TA0001)Privilege Escalation (TA0004) | Jupyter Notebook | Stub | |
Ransomware | Impact (TA0040) | Jupyter Notebook | Stub | ||
K8sAuthentication | Dero cryptojacking targeting K8sDERO cryptojacking campaign (2024) | Initial Access (TA0001) | Kubernetes | Stub | |
Cloud | Persistence (TA0003) | AWS Lambda | Stub | ||
DangerDev SES abuse incidentSmishing into Entra onto VMWare ransomwareFrom password reset to data exfiltrationScattered Spider targeting GCP environment | Stub | ||||
Linux | PHP Targeted with Glutton backdoorCPU_HU: Malicious Campaign Targeting Misconfigured PostgreSQL Servers for Cryptomining | Persistence (TA0003) | Stub | ||
AI/ML | Initial Access (TA0001) | Stub | |||
LLMjacking via Laravel exploitationScylla LLMJacking campaignLLM Hijacking Targeting AWS | Stub | ||||
BORN Group supply chain attack | Not started | ||||
Windows | Peach Sandstorm targeting AzureWidespread TeamCity exploitation (March ‘24) | Defense Evasion (TA0005) | Stub | ||
Windows | Storm-0558 phishing campaignsUAT-7237 Targets Taiwanese Web Infrastructure Using Customized Open-Source Tools | Credential Access (TA0006)Privilege Escalation (TA0004) | Stub | ||
AI/ML | Hugging Face cross-tenant access | ML Attack Staging (AML.TA0001) | Stub | ||
Shai-Hulud 2.0 Supply Chain Attack | Not started | ||||
AWS CodeBuild Vulnerability Allows Build Process Secrets Extraction | Not started | ||||
Supply ChainCloud | Initial Access (TA0001) | Stub | |||
Not started | |||||
CircleCI incidentTwilio incidentTRIPLESTRENGTH: Cloud Account Hijacking and Cryptocurrency Mining via Stolen CredentialsFrom stolen cloud key to persistence-as-a-serviceAkira Ransomware Targeting Critical Vulnerability in SonicWall SSLVPN | Initial Access (TA0001) | Stub | |||
Authentication | APT29 targeting Microsoft 365Atlas Lion phishing campaignSmishing into Entra onto VMWare ransomwareScattered Spider SaaS targeting (2023)Scattered Spider targeting Azure environmentPhishing campaign leading to Azure account takeoverAtlas Lion Campaign Exploits Device Enrollment and MFA for PersistenceAzure Account Hijack via Stolen Tokens | Persistence (TA0003) | Stub | ||
AuthenticationSocial Eng. | Initial Access (TA0001) | Stub | |||
App Misconfig. | Lucifer Botnet targeting HadoopRedis, Hadoop, and Docker exploitationDreambus campaign (2021) | Apache Hadoop | Stub | ||
App Misconfig. | Initial Access (TA0001) | Argo CD | Stub | ||
App Misconfig. | Qubitstrike Crypto Mining and Rootkit CampaignDreambus campaign (2021) | Initial Access (TA0001) | Hashicorp Consul | Stub | |
App Misconfig. | Meow database server campaignCPU_HU: Malicious Campaign Targeting Misconfigured PostgreSQL Servers for Cryptomining | Initial Access (TA0001) | PostgreSQL | Stub | |
App Misconfig. | Redis, Hadoop, and Docker exploitationKinsing campaigns (2020)TeamTNT’s Docker Gatling Gun CampaignGafgyt Malware Targeting Misconfigured Docker ServersDocker Swarm and K8s cryptojacking campaign | Initial Access (TA0001) | Docker | Stub | |
App Misconfig. | Cryptojacking Campaign Targets Misconfigured DevOps Tools | Initial Access (TA0001)Privilege Escalation (TA0004) | Gitea | Finalized | |
Grafana GitHub Action attempted supply chain attackGhostAction campaign | Not started | ||||
Backdoored self-hosted GitHub Runner | Not started | ||||
App Misconfig.K8s | Initial Access (TA0001) | KubeFlow | Stub | ||
Cryptojacking Campaign Targets Misconfigured DevOps Tools | Not started | ||||
CloudCI/CD | Initial Access (TA0001)Credential Access (TA0006) | Featured | |||
Kinsing campaigns (2023-2024)Dreambus campaign (2021)PG_MEM Malware Exploiting Misconfigured PostreSQL InstancesSoco404 Cryptomining Campaign Exploits PostgreSQL and Cloud Misconfigurations | Not started | ||||
Cloud | Exfiltration (TA0010) | Microsoft Power Pages | Stub | ||
App Misconfig. | P2PInfect campaignSkidMap targeting RedisMigo cryptominer targeting RedisRedis, Hadoop, and Docker exploitationHeadCrab campaignDreambus campaign (2021)RedisRaider Linux Cryptojacking Campaign Targets Redis Servers | Initial Access (TA0001) | Redis | Stub | |
App Misconfig. | SeleniumGreed: Threat actors exploit exposed Selenium Grid services for CryptominingCampaign targeting Selenium Grid for cryptomining | Initial Access (TA0001) | Selenium Grid | Stub | |
LinuxOS Misconfig.NetworkAuthentication | ChinaZ campaignsDiicot Campaign Targeting Linux Environments | Initial Access (TA0001)Lateral Movement (TA0008) | Featured | ||
Hadooken Malware Targeting Weblogic Servers | Not started | ||||
App Misconfig. | Meson Network cryptojacking campaign | Initial Access (TA0001) | WordPress | Stub | |
Scattered Spider targeting GCP environment | Not started | ||||
Cloud | DangerDev SES abuse incidentFrom stolen cloud key to persistence-as-a-service | Persistence (TA0003) | Stub | ||
Cloud | Persistence (TA0003) | Stub | |||
CRYSTALRAY: threat actors exploiting OSS toolsRansomware operators exploit ESXi vulnerabilityAPT28 Targeting Print Spooler Vulnerability for GooseEgg DeploymentBORN Group supply chain attackHorde Panda targeting South Asian telecommunications provider SharePoint Vulnerability Exploited in-the-WildDocker Swarm and K8s cryptojacking campaignCampaign targeting exposed FortiGate firewall management interfacesRevivalStone Campaign by WinntiBPFDoor’s Hidden Controller Targets AMEA SectorsAWS Breach at a SaaS CompanyUTG-Q-015 Exploits 0-Days for Espionage in AsiaUNC5174 Exploits Ivanti CSA Zero-Days in “Houken” CampaignAWS Data Exfiltration and Attempted Ransomware | Not started | ||||
OAuth applications to deploy VMs for cryptominingMicrosoft email exfiltration by Nobelium | Persistence (TA0003) | Stub | |||
OAuth applications to deploy VMs for cryptominingMicrosoft email exfiltration by Nobelium | Persistence (TA0003) | Stub | |||
From social engineering to Lambda modificationSilk Typhoon Targeting IT and Cloud ApplicationsStorm-0501 Deploys Cloud-Based Ransomware | Not started | ||||
Scattered Spider targeting GCP environment | Not started | ||||
Cleo Vulnerabilities Targeted by Cl0p Ransomware | Not started | ||||
Supply ChainCI/CD | Multiple organizations vulnerable to dependency confusionIvanti supply chain attack via compromised libraryPyTorch-nightly torchtriton dependency compromise | Initial Access (TA0001)Execution (TA0002) | npmPyPI | Finalized | |
Package hijacking redteam opNx Package Supply Chain Compromise Delivers Data-Stealing Malware | Initial Access (TA0001) | Stub | |||
Cloud tools imitation campaign | Initial Access (TA0001) | Stub | |||
Cloud tools imitation campaignRspack supply chain attack | Initial Access (TA0001) | Stub | |||
Trigona targeting MSSQL serversGoBruteforcer campaignFBot toolkit targets cloud environmentsRE#TURGENCE MSSQL Server RansomOpMimic used by Trigona operatorsRUBYCARP: Botnet Exploiting Vulnerabilities for CryptoTargetCompany Abusing MSSQL Servers for RansomwareGafgyt Malware Targeting Cloud EnvironmentsPG_MEM Malware Exploiting Misconfigured PostreSQL InstancesPrometei campaignCPU_HU: Malicious Campaign Targeting Misconfigured PostgreSQL Servers for CryptominingUTG-Q-015 Exploits 0-Days for Espionage in AsiaSonicWall MySonicWall Cloud Backup File Security Incident | Initial Access (TA0001) | Stub | |||
CredentialsAuthentication | Peach Sandstorm targeting AzureMicrosoft email exfiltration by NobeliumSmishing into Entra onto VMWare ransomwareAPT29 Targeting Zimbra and TeamCity ServersUSAID cryptojacking incidentPassword spray attack leads to containers being used for cryptominingTeamFiltration Account Takeover Campaign | Credential Access (TA0006)Initial Access (TA0001) | Stub | ||
CloudAI/ML | Persistence (TA0003) | Stub | |||
Not started | |||||
Cloud | Persistence (TA0003) | Stub | |||
Storm-0558 phishing campaignsRUBYCARP: Botnet Exploiting Vulnerabilities for CryptoGitHub certificate theft incidentAtlas Lion phishing campaignPersonal local drive to AWS ransomwareScattered Spider SaaS targeting (2023)RomCom exploiting Word vulnerability in campaign targeting government entitiesMicrosoft Smartscreen Vulnerability Exploited by Water HydraWindows SmartScreen vulnerability exploited by Mispadu trojanScattered Spider Abuses Cloud Management AgentTriad Nexus: Funnull malicious campaignDropbox Github breachEarth Kasha’s Campaign Exploiting Fortinet VulnerabilityFrom social engineering to Lambda modificationBlack Basta Exploiting Vulnerabilities in Multiple ProductsKiss-A-Dog campaignUTG-Q-015 Exploits 0-Days for Espionage in AsiaSupply Chain Attack on npm Packages via Maintainer Phishing | Initial Access (TA0001) | Stub | |||
AI/ML | Resource Development (TA0042)Persistence (TA0003) | Stub | |||
DangerDev SES abuse incident | Stub | ||||
Earth Preta’s Campaign Abusing MAVInject to Bypass DetectionOperation LongFangPassiveNeuron Campaign: Espionage Campaign Targeting Windows Server Environments | Not started | ||||
K8s | Lateral Movement (TA0008) | Kubernetes | Stub | ||
Labrat GitLab campaign9hits Docker campaignCampaign targeting Selenium Grid for cryptomining | Impact (TA0040) | Stub | |||
Cloud | Reuters leaky ElasticSearch DBScarletEel campaign (Feb ‘23)ScarletEel campaign (July ‘23)K8s targeted via OpenMetadata exploitationExploitation in the wild of Aviatrix Controller RCEOperation LongFang | Initial Access (TA0001) | Stub | ||
ECS Fargate cryptojackingTeamTNT’s Docker Gatling Gun CampaignMulti-Layered Cryptojacking via Docker | Stub | ||||
Shai-Hulud 2.0 Supply Chain Attack | Not started | ||||
CI/CD | Initial Access (TA0001) | GitHub | Stub | ||
LinuxCloud | Kiss-A-Dog campaign | Persistence (TA0003) | Redis | Stub | |
Authentication | From refresh token theft to global admin | Credential Access (TA0006) | Stub | ||
CI/CD | Privilege Escalation (TA0004) | GitHub | Stub | ||
Credentials | Python infrastructure leaked access token | Reconnaissance (TA0043)Credential Access (TA0006) | Stub | ||
DarkRadiation campaign | Execution (TA0002) | Stub | |||
Gitloker campaign | Stub | ||||
Supply Chain | Initial Access (TA0001) | Stub | |||
CI/CDApp Misconfig.Network | Initial Access (TA0001) | GitHubTeamCityJenkins | Stub | ||
AWS Breach at a SaaS CompanyTeamFiltration Account Takeover Campaign | Not started | ||||
Cloud | Execution (TA0002) | AWS CloudFormation | Stub | ||
Cloud | Credential Access (TA0006) | Stub | |||
ByBit hack | Not started | ||||
CoinStomp campaignCloud lateral movement via Citrix cookieFrom code commit to production takeoverSilent Skimmer Attacks Exploiting Telerik UI to Steal Payment DataDiicot Campaign Targeting Linux EnvironmentsMalicious AI Models Bypass Picklescan DetectionBPFDoor’s Hidden Controller Targets AMEA SectorsIvanti EPMM RCE Vulnerability Chain Exploited in the WildUNC5174 Exploits Ivanti CSA Zero-Days in “Houken” CampaignCryptomining Campaign Exploiting Exposed Ray AI Infrastructure | Execution (TA0002) | Stub | |||
DarkRadiation campaign | Persistence (TA0003)Execution (TA0002)Privilege Escalation (TA0004)Defense Evasion (TA0005) | Stub | |||
Supply ChainCI/CD | Ultralytics compromiseKong image compromise | Initial Access (TA0001) | GitHubGitLab | Not started | |
SIM swapping to serial port abuseScattered Spider SaaS targeting (2023) | Stub | ||||
Cloud | Denonia campaign | Execution (TA0002) | AWS Lambda | Stub | |
DangerDev SES abuse incidentJavaGhost SES abuse | Impact (TA0040) | Stub | |||
From stolen cloud key to persistence-as-a-service | Not started | ||||
MITRE breach via Ivanti Connect Secure | Stub | ||||
Cloud | DangerDev SES abuse incident | Exfiltration (TA0010)Persistence (TA0003) | Stub | ||
SIM-Swap to Data Leak on Dark WebScattered Spider SaaS targeting (2023)Scattered Spider SaaS targeting (2024) | Initial Access (TA0001) | Stub | |||
Supply Chain | Initial Access (TA0001)Resource Development (TA0042) | npmPyPI | Stub | ||
Atlas Lion phishing campaignSmishing into Entra onto VMWare ransomwareScattered Spider SaaS targeting (2023)Scattered Spider SaaS targeting (2024) | Stub | ||||
Cloud | Amazon SNS | Stub | |||
Social Eng. | XZ Utils backdoor incident | Initial Access (TA0001) | Stub | ||
Retool hackEarth Preta’s Campaign Abusing MAVInject to Bypass Detection | Initial Access (TA0001) | Stub | |||
App Misconfig. | Initial Access (TA0001) | Spring Boot | Stub | ||
App Misconfig. | SQL Server to cloud lateral movement | Execution (TA0002) | MySQLMicrosoft SQL Server | Stub | |
App Misconfig. | GambleForce SQL injection campaignSQL Server to cloud lateral movementRedJuliett Exploiting VPN and Firewall VulnerabilitiesBoolka campaignRevivalStone Campaign by Winnti | Initial Access (TA0001) | MySQLMicrosoft SQL Server | Stub | |
Gafgyt Malware Targeting Cloud EnvironmentsOperation VelesDiicot Campaign Targeting Exposed SSHMexals cryptojacking campaignDiicot Campaign Targeting Linux EnvironmentsLinux SSH Servers Compromised to Deploy Proxies | Not started | ||||
BORN Group supply chain attack | Not started | ||||
Dreambus campaign (2021)S3 data exfiltrationSSH-Snake Confluence targeting campaign | Lateral Movement (TA0008) | Stub | |||
Social Eng. | Initial Access (TA0001) | Stub | |||
Cyberoam breach (2018) | Not started | ||||
From PHP exploitation to AWS lateral movement | Stub | ||||
Cloud | Lateral Movement (TA0008) | Stub | |||
Misconfigured firewall to cryptojacking botnetCapital One incident (March 2019)UNC2903 campaignsUS DoD NIPRNet access via Atlassian SSRF | Initial Access (TA0001) | Stub | |||
Cloud | SilentBob cryptomining campaign | Credential Access (TA0006) | Stub | ||
CloudNetwork | Impact (TA0040) | S3 Bucket | Stub | ||
Krpano XSS exploitation campaignGambling Network Exploits Abandoned Subdomains | Not started | ||||
Supply Chain | Triad Nexus: Funnull malicious campaignSupply Chain Attack on lottie-playerUltralytics compromiseKong image compromiseDogWifTool supply chain attackMalicious AI Models Bypass Picklescan DetectionSupply Chain Compromise of rand-user-agent: Obfuscated RAT with C2 Communication and File ExfiltrationSolana web3.js Supply Chain AttackDragonForce Exploits SimpleHelp Vulnerabilities in Ransomware CampaignNPM Supply Chain Attack Compromises 16 Popular React Native and GlueStack PackagesNx Package Supply Chain Compromise Delivers Data-Stealing MalwareQix npm package supply chain compromiseShai-Hulud: Ongoing Package Supply Chain Compromise Delivering Data-Stealing MalwareUNC3379 npm supply chain attacksSupply Chain Risk in Axis Autodesk Revit Plugin Due to Exposed Azure Storage CredentialsShai-Hulud 2.0 Supply Chain Attack | Initial Access (TA0001) | Not started | ||
Linux | Siloscape campaign | Privilege Escalation (TA0004) | Stub | ||
CoinStomp campaignFrom WSO2 RCE to SSH lateral movement | Defense Evasion (TA0005) | Stub | |||
Microsoft signing key compromiseIn-Memory IIS Attacks via View State Deserialization | Initial Access (TA0001)Credential Access (TA0006) | Stub | |||
Peach Sandstorm targeting AzureMicrosoft signing key compromiseCyber Toufan Linux destructionSiloscape campaign | Command and Control (TA0011)Defense Evasion (TA0005) | Stub | |||
Network | Microsoft email exfiltration by Nobelium | Defense Evasion (TA0005) | Stub | ||
Weaver Ant data exfiltration campaign | Not started | ||||
State-Sponsored APT Abuse Visual Studio Code in Attacks | Not started | ||||
Campaign targeting Selenium Grid for cryptominingDiicot Campaign Targeting Exposed SSHMexals cryptojacking campaignCPU_HU: Malicious Campaign Targeting Misconfigured PostgreSQL Servers for CryptominingExposed Jupyter Notebooks Targeted for Cryptomining | Not started | ||||
Cloud | SQL Server to cloud lateral movement | Exfiltration (TA0010) | Stub | ||
Rollbar hackSnowflake compromised creds abuse campaignRansomware operators exploit ESXi vulnerabilityScattered Spider Abuses Cloud Management AgentShinyHunters Ransomware Targeting Cloud EnvironmentsExtortion Campaign Exploiting Exposed Environment VariableStorm-0501 Targeting Hybrid Environments with RansomwareVeeam Vulnerability Exploited by Akira and Fog RansomwareDropbox Github breachCleo Vulnerabilities Targeted by Cl0p RansomwareVolkswagen data leak through Spring Boot Actuator misconfigurationPhishing campaign leading to Azure account takeoverBapak Exploiting Stolen Cloud Access KeysTRIPLESTRENGTH: Cloud Account Hijacking and Cryptocurrency Mining via Stolen CredentialsCode Injection Attacks Exploiting Publicly Disclosed ASP.NET KeysAtlas Lion Campaign Exploits Device Enrollment and MFA for PersistenceAWS Breach at a SaaS CompanyCompromised cloud keys exfiltrated to bucketAzure Account Hijack via Stolen TokensAWS Data Exfiltration and Attempted RansomwareCompromised Salesloft Drift Tokens Enable Data Theft Across IntegrationsShai-Hulud: Ongoing Package Supply Chain Compromise Delivering Data-Stealing MalwareBRICKSTORM Espionage Backdoor Targeting U.S. Tech and Legal SectorsPassiveNeuron Campaign: Espionage Campaign Targeting Windows Server EnvironmentsTata Motors Hardcoded AWS Keys and API Tokens Exposed TruffleNet Campaign Exploits AWS SES for Large-Scale Cloud Abuse and BEC FraudShai-Hulud 2.0 Supply Chain Attack | Initial Access (TA0001)Credential Access (TA0006) | Stub | |||
Scattered Spider targeting Azure environment | Not started | ||||
SIM swapping to serial port abuse | Privilege Escalation (TA0004) | Stub | |||
New Relic incident (November 2023)AWS Breach at a SaaS CompanyUNC5174 Exploits Ivanti CSA Zero-Days in “Houken” Campaign | Stub | ||||
Network | Apache server Cryptojacking with Cobalt StrikeProphet Spider campaignAndariel exploiting Apache ActiveMQGoTitan ActiveMQ campaignLAPSUS$ campaignsP2PInfect campaign8820 Gang targeting WebLogicTrigona targeting MSSQL serversRE#TURGENCE MSSQL Server RansomOpMimic used by Trigona operatorsLucifer Botnet targeting HadoopC3Pool mining via Confluence vulnerabilityz0Miner targeting WebLogic serversMeson Network cryptojacking campaignShadowSyndicate aiohttp exploitationUNC5174 ScreenConnect and F5 BIG-IP exploitationRUBYCARP: Botnet Exploiting Vulnerabilities for CryptoK8s targeted via OpenMetadata exploitationKinsing campaigns (2020)Redigo campaignTargetCompany Abusing MSSQL Servers for RansomwareKinsing targeting cloud serversRedTail Cryptomining campaign Muhstik campaignRedJuliett Exploiting VPN and Firewall Vulnerabilities8220 Gang Exploiting WebLogic Vulnerabilities for CryptojackingCRYSTALRAY: threat actors exploiting OSS toolsRansomware operators exploit ESXi vulnerabilityDama webshell deployment via ThinkPHP exploitationRomCom exploiting Word vulnerability in campaign targeting government entitiesMicrosoft Smartscreen Vulnerability Exploited by Water HydraWindows SmartScreen vulnerability exploited by Mispadu trojanArcaneDoor Campaign Targeting Cisco Adaptive Security Appliance 0dayAPT28 Targeting Print Spooler Vulnerability for GooseEgg DeploymentRCE Vulnerability in PHP CGI Exploited by TellYouThePassMirai Botnet Exploiting Apache OFBiz VulnerabilityGodzilla Backdoor Exploiting Confluence VulnerabilityDragonRank Targeting IIS Web ServersUNC1860 Attacks Targeting the Middle EastStorm-0501 Targeting Hybrid Environments with Ransomwareperfctl Malware Targeting LinuxVeeam Vulnerability Exploited by Akira and Fog RansomwareAPT29 Targeting Zimbra and TeamCity ServersEarth Simnavaz (APT34) Targeting UAE and Gulf RegionsUNC5820 exploiting FortiManager flawBrowserStack Data BreachMozi Botnet Using AndroxGh0st Toolkit to Target Cloud EnvironmentsPrometei campaignRCE Vulnerability in PAN-OS Exploited in-the-WildBrazenBamboo Weaponizes FortiClient Vulnerability to Steal CredentialsEarth Kasha’s Campaign Exploiting Fortinet VulnerabilityState-Sponsored APT Abuse Visual Studio Code in AttacksMauri Ransomware Exploiting Apache ActiveMQ Cleo Vulnerabilities Targeted by Cl0p RansomwareByte Federal Data Breach via Gitlab VulnerabilityRCE Vulnerability in Apache Struts Targeted by AttackersUS Treasury breach via BeyondTrust supply chain attackExploitation in the wild of Aviatrix Controller RCECampaign targeting exposed FortiGate firewall management interfacesSeashell Blizzard Subgroup's Campaign Exploiting Vulnerabilities for Data ExfiltrationBlack Basta Exploiting Vulnerabilities in Multiple ProductsSilk Typhoon Targeting IT and Cloud ApplicationsPHP-CGI Vulnerability Exploited in Attacks Targeting JapanOperation LongFangOracle Cloud Potential Supply Chain BreachKrpano XSS exploitation campaignCritical Ivanti Connect Secure Vulnerability Exploited by China-linked ActorSAP NetWeaver Visual Composer exploitation campaignMimo Exploits Craft CMS RCE to Deploy Cryptominer and Proxyware in Coordinated CampaignIvanti EPMM RCE Vulnerability Chain Exploited in the WildCoordinated One-Day Cloud Scanning Operation Targets 75 Exposure PointsDragonForce Exploits SimpleHelp Vulnerabilities in Ransomware CampaignEarth Lamia Custom Toolkit Targets Multiple Sectors via Web VulnerabilitiesUTG-Q-015 Exploits 0-Days for Espionage in AsiaLangflow Vulnerability Exploited to Deliver Flodrix BotnetAttacks on Korean IIS & Linux ServersUNC5174 Exploits Ivanti CSA Zero-Days in “Houken” CampaignLinuxsys Cryptominer CampaignMimo Targets Magento, Docker, and Cloud Environments0day Vulnerability in Microsoft Sharepoint Exploited in-the-WildAWS CodeBuild Vulnerability Allows Build Process Secrets ExtractionAkira Ransomware Targeting Critical Vulnerability in SonicWall SSLVPNUAT-7237 Targets Taiwanese Web Infrastructure Using Customized Open-Source ToolsAuto-Color Malware Exploits SAP Vulnerability for Linux BackdoorWarlock Ransomware Exploiting Sharepoint Vulnerabilities Silk Typhoon Exploiting Trusted Relationships for Cloud Environments CompromiseStorm-0501 Deploys Cloud-Based RansomwareDripDropper Malware Exploits Patched Apache ActiveMQ for Persistence on Cloud Linux SystemsRenewed "ArcaneDoor" Campaign Targeting 0-day Vulnerabilities in Cisco ASACl0p Extortion Campaign Claims Theft via Oracle E-Business SuiteeBPF Rootkit Targeting AWS and Linux EnvironmentsPassiveNeuron Campaign: Espionage Campaign Targeting Windows Server EnvironmentsTata Motors Hardcoded AWS Keys and API Tokens Exposed China-Linked Actors Target U.S. Policy-Oriented Non-Profit OrganisationsCisco ISE Vulnerability Exploited as 0day by APTUnauthenticated Remote Access via Triofox Vulnerability Exploited by UNC6485Cryptomining Campaign Exploiting Exposed Ray AI Infrastructure | Initial Access (TA0001)Privilege Escalation (TA0004) | Stub | ||
MITRE breach via Ivanti Connect SecureEarth Baku campaignUNC1860 Attacks Targeting the Middle EastSilent Skimmer Attacks Exploiting Telerik UI to Steal Payment DataSharePoint Vulnerability Exploited in-the-WildGelsemium’s Shift to Linux Malware with WolfsBane and FireWoodState-Sponsored APT Abuse Visual Studio Code in AttacksRevivalStone Campaign by WinntiPHP-CGI Vulnerability Exploited in Attacks Targeting JapanOperation LongFangWeaver Ant data exfiltration campaignSAP NetWeaver Visual Composer exploitation campaignLarva-25003: IIS Native Module Malware Used in Targeted Web Server AttacksMimo Exploits Craft CMS RCE to Deploy Cryptominer and Proxyware in Coordinated CampaignEarth Lamia Custom Toolkit Targets Multiple Sectors via Web VulnerabilitiesAttacks on Korean IIS & Linux ServersIn-Memory IIS Attacks via View State Deserialization0day Vulnerability in Microsoft Sharepoint Exploited in-the-WildUAT-7237 Targets Taiwanese Web Infrastructure Using Customized Open-Source ToolsWarlock Ransomware Exploiting Sharepoint Vulnerabilities Silk Typhoon Exploiting Trusted Relationships for Cloud Environments CompromiseStorm-0501 Deploys Cloud-Based RansomwarePassiveNeuron Campaign: Espionage Campaign Targeting Windows Server EnvironmentsCisco ISE Vulnerability Exploited as 0day by APT | Stub | ||||
Krpano XSS exploitation campaign | Not started |