View on MITRE ATT&CK

T1059.006 - Python

Sub-technique
Tactics:
Execution
Platforms:
ESXi Linux macOS Windows
Detection:
Not specified
Description:
Adversaries may abuse Python commands and scripts for execution. Python is a very popular scripting/programming language, with capabilities to perform many functions. Python can be executed interactively from the command-line (via the <code>python.exe</code> interpreter) or via scripts (.py) that can be written and distributed to different systems. Python code can also be compiled into binary executables.(Citation: Zscaler APT31 Covid-19 October 2020)

Python comes with many built-in packages to interact with the underlying system, such as file operations and device I/O. Adversaries can use these libraries to download and execute commands or other scripts as well as perform various malicious behaviors.
Used by Actors (17)
APT29
Nation-state
Turla
Nation-state
Tonto Team
Nation-state
Kimsuky
Nation-state
MuddyWater
Nation-state
APT37
Nation-state
APT39
Unknown
Rocke
Unknown
Earth Lusca
Unknown
UNC3886
Unknown
Dragonfly
Unknown
Cinnamon Tempest
Unknown
BRONZE BUTLER
Unknown
RedCurl
Unknown
Contagious Interview
Unknown
ZIRCONIUM
Unknown
Machete
Unknown
Malware (20)
reGeorg other InvisibleFerret other UPSTYLE other PyDCrypt other Turian other THINCRUST other Machete other DropBook other Keydnap other PUNCHBUGGY other KeyBoy other Lumma Stealer other Chaes other Bundlore other VIRTUALPIE other Bandook other Pysa other SpeakUp other Cobalt Strike other Neo-reGeorg other
Metadata
MITRE ID: T1059.006
STIX ID: attack-pattern--cc3502b5-30cc-...
Platforms: ESXi, Linux, macOS, Windows
Created: 13/01/2026 17:48
Updated: 06/03/2026 16:00