Software

TONESHELL is a custom backdoor that has been used since at least Q1 2021.[1] TONESHELL malware has previously been leveraged by Chinese affiliated actors identified as Mustang Panda.[2][3]

TRAILBLAZE is an in-memory dropper used to deploy the passive backdoor BRUSHFIRE. First reported in March 2025, TRAILBLAZE has been observed in operations attributed to People's Republic of China (PRC) state-sponsored affiliated actors, including UNC5221 and SYLVANITE. [1][2][3]

TRANSLATEXT is malware that is believed to be used by Kimsuky.[1] TRANSLATEXT masqueraded as a Google Translate extension for Google Chrome, but is actually a collection of four malicious Javascript files that perform defense evasion, information collection and exfiltration.[1]

This entry was deprecated as it was inadvertently added to Enterprise; a similar Software entry was created for ATT&CK for ICS.

TRITON is an attack framework built to interact with Triconex Safety Instrumented System (SIS) controllers. TRITON was deployed against at least one target in the Middle East. [1][2][3][4][5]

TSCookie is a remote access tool (RAT) that has been used by BlackTech in campaigns against Japanese targets.[1][2]. TSCookie has been referred to as PLEAD though more recent reporting indicates a separation between the two.[3][2]

TURNEDUP is a non-public backdoor. It has been dropped by APT33's StoneDrill malware. [1] [2]

TYPEFRAME is a remote access tool that has been used by Lazarus Group. [1]

Taidoor is a remote access trojan (RAT) that has been used by Chinese government cyber actors to maintain access on victim networks.[1] Taidoor has primarily been used against Taiwanese government organizations since at least 2010.[2]

TajMahal is a multifunctional spying framework that has been in use since at least 2014. TajMahal is comprised of two separate packages, named Tokyo and Yokohama, and can deploy up to 80 plugins.[1]

Tangelo is iOS malware that is believed to be from the same developers as the Stealth Mango Android malware. It is not a mobile application, but rather a Debian package that can only run on jailbroken iOS devices. [1]

TangleBot is SMS malware that was initially observed in September 2021, primarily targeting mobile users in the United States and Canada. TangleBot has used SMS text message lures about COVID-19 regulations and vaccines to trick mobile users into downloading the malware, similar to FluBot Android malware campaigns.[1]

Tarrask is malware that has been used by HAFNIUM since at least August 2021. Tarrask was designed to evade digital defenses and maintain persistence by generating concealed scheduled tasks.[1]

The Tasklist utility displays a list of applications and services with their Process IDs (PID) for all tasks running on either a local or a remote computer. It is packaged with Windows operating systems and can be executed from the command-line interface. [1]

ThiefQuest is a virus, data stealer, and wiper that presents itself as ransomware targeting macOS systems. ThiefQuest was first seen in 2020 distributed via trojanized pirated versions of popular macOS software on Russian forums sharing torrent links.[1] Even though ThiefQuest presents itself as ransomware, since the dynamically generated encryption key is never sent to the attacker it may be more appropriately thought of as a form of wiper malware.[2][3]

ThreatNeedle is a backdoor that has been used by Lazarus Group since at least 2019 to target cryptocurrency, defense, and mobile gaming organizations. It is considered to be an advanced cluster of Lazarus Group's Manuscrypt (a.k.a. NukeSped) malware family.[1]

TianySpy is a mobile malware primarily spread by SMS phishing between September 30 and October 12, 2021. TianySpy is believed to have targeted credentials associated with membership websites of major Japanese telecommunication services.[1]

Tiktok Pro is spyware that has been masquerading as the TikTok application.[1]

TinyTurla is a backdoor that has been used by Turla against targets in the US, Germany, and Afghanistan since at least 2020.[1]

TinyZBot is a bot written in C# that was developed by Cleaver. [1]

Tomiris is a backdoor written in Go that continuously queries its C2 server for executables to download and execute on a victim system. It was first reported in September 2021 during an investigation of a successful DNS hijacking campaign against a Commonwealth of Independent States (CIS) member. Security researchers assess there are similarities between Tomiris and GoldMax.[1]

Tor is a software suite and network that provides increased anonymity on the Internet. It creates a multi-hop proxy network and utilizes multilayer encryption to protect both the message and routing information. Tor utilizes "Onion Routing," in which messages are encrypted with multiple layers of encryption; at each step in the proxy network, the topmost layer is decrypted and the contents forwarded on to the next node until it reaches its destination. [1]

Torisma is a second stage implant designed for specialized monitoring that has been used by Lazarus Group. Torisma was discovered during an investigation into the 2020 Operation North Star campaign that targeted the defense sector.[1]

TrailBlazer is a modular malware that has been used by APT29 since at least 2019.[1]

Triada was first reported in 2016 as a second stage malware. Later versions in 2019 appeared with new techniques and as an initial downloader of other Trojan apps.[1]

TriangleDB is an Objective-C written implant deployed after Binary Validator and after root privileges are obtained during Operation Triangulation’s infection chain. Upon execution, TriangleDB communicates with the C2 server, relaying information about the victim device.[1]