ATT&CK v17: New Platform (ESXi), Collection Optimization, & More Countermeasures

By: Amy Robertson and Adam Pennington

Our goal with ATT&CK v17 is to help defenders stay aligned with where adversaries are headed by looking at where they’ve recently been. This release aims to inform defensive efforts by focusing on the platforms adversaries are exploiting, the techniques they’re adapting, and the environments they’re targeting.

• Enterprise now includes the ESXi platform, reflecting the rise in attacks on virtualization infrastructure. We also renamed the Network platform to Network Devices (because let’s call things what they are).
• On the Defensive side, we’ve made Data Components more useful, showing you how to collect, not just what, with platform-specific tips and tools. Mitigations also got an upgrade, with more guidance, real-world examples, and integration tips.
• We updated content for Mobile, including five new tools and a cross-domain campaign, spotlighting both current and emerging threats to the space.
• In CTI, we’re tracking more Groups, Campaigns, and Software that focus on state-directed and criminal operations targeting diverse environments with versatile tools aimed at both data theft and disruption.
• We’ve updated the mitreattack-python library to work with ATT&CK v17 STIX content, and shifted Workbench to semantic versioning, to streamline and let you preview some major upcoming changes.

For all the details on our updates/additions across Techniques, Software, Groups and Campaigns take a look at our . This name change is meant to more intuitively reflect that the platform comprises techniques used to target network devices such as routers, switches, and load balancers.

As part of our ongoing Enterprise maintenance and updates, we’ve introduced novel behaviors and more technical implementations, including expanded cloud security and Linux coverage, as well as streamlining related techniques by merging overlapping sub-techniques. Some of the updates include:

· or reach out at [email protected].

CTI | Diverse Environments, Platform Versatility, & Custom Tools

This release continues our focus on capturing impactful intrusions, from cybercriminal campaigns to state-directed espionage, showcasing how adversaries combine social engineering alongside custom implants, share and reuse infrastructure, and constantly improve their encryption and evasion techniques.

To ATT&CK’s Groups, we’ve added G1045: Salt Typhoon, a People’s Republic of China (PRC) state-backed actor that has targeted network infrastructure at major U.S. telecoms and internet service providers (ISP). We included two other PRC-linked groups, G1042: RedEcho, who reuses S0596: ShadowPad and shares infrastructure with G0096: APT41 to persist in India’s critical sectors, and G1047: Velvet Ant, who exploits zero-days in devices like Cisco Nexus switches to implant custom backdoors and maintain long-term access. We’ve also added the Türkiye-linked G1041: Sea Turtle, which reroutes traffic and spoofs login portals to steal credentials, and Iran’s G1044: APT42, which uses spearphishing and PINEFLOWER Android malware to quietly exfiltrate data. We expanded cybercriminal coverage with G1043: BlackByte and the upgraded 2.0 version of their ransomware that often hits critical infrastructure. We also highlight G1046: Storm-1811, which leverages S1070: Black Basta by spamming inboxes and tricking victims into fake help desk chats that lead to malware deployment.

On the Campaigns side, we added activity related to targeting critical infrastructure and edge devices, obfuscating adversary infrastructure, and exploiting vulnerabilities in artificial intelligence (AI) systems. C0046: ArcaneDoor, C0050: J-magic, and C0048: Operation MidnightEclipse demonstrate how adversaries have exploited networking gear and VPN appliances from Cisco, Juniper, and Palo Alto to stealthily access and try to persist on government and industrial networks. On the Operational Technology (OT) side, the C0041: FrostyGoop incident demonstrates real-world impacts in Ukraine, with heating services disrupted by manipulating control systems. Also in Ukraine, the C0051: APT28 Nearest Neighbor Campaign reflects a physical proximity-based attack, leveraging nearby Wi-Fi networks to infiltrate the intended targets, and highlights that your network perimeter may extend further than you think.

In Australia and Southeast Asia, C0049: Leviathan and C0047: RedDelta used credential theft and lateral movement to quietly extract sensitive data in long-running intrusions, and in espionage campaigns targeting Israeli and Indian organizations, C0044: Juicy Mix and C0042: Outer Space, both linked to G0049: OilRig, relied on tailored malware. With the burgeoning use hybrid infrastructure, we added in C0043: FLORAHOX and C0052: SPACEHOP, that leveraged a mix of compromised routers and leased VPS servers, also known as Operational Relay Box (ORB) networks, to mask traffic and complicate attribution. Finally, the C0045: ShadowRay campaign exploited a flaw in the Ray AI framework, marking one of the first observed exploitation of vulnerabilities in AI infrastructure for access to data and compute resources.

Our adversary-used Software updates and additions this release converge around state-directed and criminal operations that increasingly target diverse environments with platform versatility and feature dual objectives of data theft and destruction/disruption.

• Ransomware + Criminal Innovation: The evolution of BlackByte, LockBit, and Akira into more advanced variants (S1181: BlackByte 2.0, S1202: LockBit 3.0, S1194: Akira_v2) highlights ongoing ransomware-as-a-service (RaaS) maturation. Tools like S1179: Exbyte and S1213: Lumma Stealer show ransomware operators also investing in data theft and exfiltration, monetized via criminal marketplaces and initial access brokers.
• Network Device Targeting: S1203: J-magic, S1206: JumbledPath, S1184: BOLDMOVE, and S1186: Line Dancer focus on edge devices like firewalls and routers, leveraging their blind spots in visibility and patching.
• Wipers/Destructive Operations: Tools like S1167: AcidPour and S1190: Kapeka indicate a continued interest in disruption-focused operations, particularly in Eastern Europe and Ukrainian infrastructure. These tools are often linked to state-linked actors (G0034: Sandworm Team) and tailored for embedded and ICS environments.
• Backdoors & Surveillance: Custom backdoors S1197: GoBear, S1198: Gomir, S1211: Hannotog, S1169: Mango, and S1182: MagicRAT are used for long-term espionage and modular control over compromised networks by state-directed threat groups like G0094: Kimsuky, G0030: Lotus Blossom, G0049: OilRig, and G0032: Lazarus Group.

If you have data or behaviors to share, join us on #attack-cti, or contribute via email.

Software & Infrastructure | More Functionality, Stability & Previews

For developers building their own copies of the website, we’ve upgraded the version of Python required to build it to 3.13. This also goes for the mitreattack-python library, which has been upgraded with additional functionality to work with the ATT&CK v17 STIX content. For ATT&CK Workbench users, we’re changing up our release process using semantic releases, to provide a more stable channel separate from pre-release. This supports the major STIX changes to Data Sources and Data components that will be part of the October release, and we’re giving the community an early look to test and share feedback before the changes go final later this year. Finally, the TAXII 2.1 server has been updated with the ATT&CK v17 content as well.

Questions, suggestions, or moonshot ideas? Let us know on Slack or email.

Up Next | ATT&CKcon CFP, ATT&CKing Mondays & ATT&CK’s 2025 Roadmap

ATT&CKcon

ATT&CKcon will be back for 6.0 on October 14–15, 2025, in McLean, VA, and we’ll continue to focus on how adversaries are adapting and how defenders across the globe are detecting and disrupting them. We’ll be opening our CFP soon, and while we know most submissions will come in right before the deadline (don’t worry, we’ve prepared), we’re looking forward to the innovative ways you’re using ATT&CK. Interested in more information (or interested in sponsoring ATT&CKcon 6.0), visit our conference website at https://na.eventscloud.com/attackcon6.

ATT&CKing Mondays

Every Monday afternoon at 12pm ET we kick off ATT&CKing Mondays, where we explore what works in ATT&CK, and what could be refactored, refined, or reimagined. This is your direct line into helping us advance ATT&CK and to hear different perspectives from across the community. Join the conversations at #attacking-Mondays on ATT&CK’s Slack. Not there yet? Join our community by visiting here.

ATT&CK’s 2025 Roadmap

Stay tuned to this space and ATT&CK’s social media, ATT&CK’s 2025 roadmap is coming soon. We’ll be getting into detail on what to expect in October as we release ATT&CK v18, and some of what we’re considering for this and future years.

Thank you as always to everyone who contributed to this release. We wouldn’t be able to bring you ATT&CK without the active community who shares in-the-wild examples and real-world implementations of what adversaries have been up to. Once again, if you see something, contrib something.

Connect with us on Email, Bluesky, LinkedIn, or Slack.

©2025 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited. 25–01009–01.

---

ATT&CK v17: New Platform (ESXi), Collection Optimization, & More Countermeasures was originally published in MITRE ATT&CK® on Medium, where people are continuing the conversation by highlighting and responding to this story.