Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Поиск
Вход Регистрация
MITRE ATT&CK - Техника Эксфильтрация через канал управления
EN
Риски
Каталоги
MITRE ATT&CK
Техника
Эксфильтрация через канал упра...
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Эксфильтрация через канал управления

Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications.

ID: T1041
Тактика(-и): Exfiltration
Платформы: ESXi, Linux, Windows, macOS
Источники данных: Command: Command Execution, File: File Access, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Версия: 2.3
Дата создания: 31 May 2017
Последнее изменение: 15 Apr 2025

Примеры процедур
Название Описание
TrickBot

TrickBot can send information about the compromised host and upload data to a hardcoded C2 server.(Citation: Cyberreason Anchor December 2019)(Citation: Bitdefender Trickbot VNC module Whitepaper 2021)
BLINDINGCAN

BLINDINGCAN has sent user and system information to a C2 server via HTTP POST requests.(Citation: NHS UK BLINDINGCAN Aug 2020)(Citation: US-CERT BLINDINGCAN Aug 2020)
Pikabot

During the initial Pikabot command and control check-in, Pikabot will transmit collected system information encrypted using RC4.(Citation: Elastic Pikabot 2024)
Spark

Spark has exfiltrated data over the C2 channel.(Citation: Unit42 Molerat Mar 2020)

Bumblebee

Bumblebee can send collected data in JSON format to C2.(Citation: Google EXOTIC LILY March 2022)
Amadey

Amadey has sent victim data to its C2 servers.(Citation: BlackBerry Amadey 2020)
Proxysvc

Proxysvc performs data exfiltration over the control server channel using a custom protocol.(Citation: McAfee GhostSecret)
Torisma

Torisma can send victim data to an actor-controlled C2 server.(Citation: McAfee Lazarus Nov 2020)
Stuxnet

Stuxnet sends compromised victim information via HTTP.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)
RotaJakiro

RotaJakiro sends device and other collected data back to the C2 using the established C2 channels over TCP. (Citation: RotaJakiro 2021 netlab360 analysis)
KOPILUWAK

KOPILUWAK has exfiltrated collected data to its C2 via POST requests.(Citation: Mandiant Suspected Turla Campaign February 2023)
Misdat

Misdat has uploaded files and data to its C2 servers.(Citation: Cylance Dust Storm)
ShimRatReporter

ShimRatReporter sent generated reports to the C2 via HTTP POST requests.(Citation: FOX-IT May 2016 Mofang)
Sliver

Sliver can exfiltrate files from the victim using the download command.(Citation: GitHub Sliver Download)
SILENTTRINITY

SILENTTRINITY can transfer files from an infected host to the C2 server.(Citation: GitHub SILENTTRINITY Modules July 2019)
HAWKBALL

HAWKBALL has sent system information and files over the C2 channel.(Citation: FireEye HAWKBALL Jun 2019)
Ursnif

Ursnif has used HTTP POSTs to exfil gathered information.(Citation: TrendMicro Ursnif Mar 2015)(Citation: FireEye Ursnif Nov 2017)(Citation: ProofPoint Ursnif Aug 2016)
ZLib

ZLib has sent data and files from a compromised host to its C2 servers.(Citation: Cylance Dust Storm)
Bankshot

Bankshot exfiltrates data over its C2 channel.(Citation: McAfee Bankshot)
SharpDisco

SharpDisco can load a plugin to exfiltrate stolen files to SMB shares also used in C2.(Citation: MoustachedBouncer ESET August 2023)
StrongPity

StrongPity can exfiltrate collected documents through C2 channels.(Citation: Talos Promethium June 2020)(Citation: Bitdefender StrongPity June 2020)
AppleSeed

AppleSeed can exfiltrate files via the C2 channel.(Citation: Malwarebytes Kimsuky June 2021)
PowerExchange

PowerExchange can exfiltrate files via its email C2 channel.(Citation: Symantec Crambus OCT 2023)
Emotet

Emotet has exfiltrated data over its C2 channel.(Citation: Trend Micro Emotet Jan 2019)(Citation: Binary Defense Emotes Wi-Fi Spreader)
Crimson

Crimson can exfiltrate stolen information over its C2.(Citation: Cisco Talos Transparent Tribe Education Campaign July 2022)
Tomiris

Tomiris can upload files matching a hardcoded set of extensions, such as .doc, .docx, .pdf, and .rar, to its C2 server.(Citation: Kaspersky Tomiris Sep 2021)
DUSTTRAP

DUSTTRAP can exfiltrate collected data over C2 channels.(Citation: Google Cloud APT41 2024)
Empire

Empire can send data gathered from a target through the command and control channel.(Citation: Github PowerShell Empire)(Citation: Talos Frankenstein June 2019)
BADHATCH

BADHATCH can exfiltrate data over the C2 channel.(Citation: Gigamon BADHATCH Jul 2019)(Citation: BitDefender BADHATCH Mar 2021)

Machete

Machete's collected data is exfiltrated over the same channel used for C2.(Citation: ESET Machete July 2019)
PingPull

PingPull has the ability to exfiltrate stolen victim data through its C2 channel.(Citation: Unit 42 PingPull Jun 2022)
PcShare

PcShare can upload files and information from a compromised host to its C2 servers.(Citation: Bitdefender FunnyDream Campaign November 2020)
Woody RAT

Woody RAT can exfiltrate files from an infected machine to its C2 server.(Citation: MalwareBytes WoodyRAT Aug 2022)

Mafalda

Mafalda can send network system data and files to its C2 server.(Citation: SentinelLabs Metador Sept 2022)
Squirrelwaffle

Squirrelwaffle has exfiltrated victim data using HTTP POST requests to its C2 servers.(Citation: ZScaler Squirrelwaffle Sep 2021)
AuTo Stealer

AuTo Stealer can exfiltrate data over actor-controlled C2 servers via HTTP or TCP.(Citation: MalwareBytes SideCopy Dec 2021)
ShrinkLocker

ShrinkLocker will exfiltrate victim system information along with the encryption key via an HTTP POST.(Citation: Kaspersky ShrinkLocker 2024)(Citation: Splunk ShrinkLocker 2024)
SombRAT

SombRAT has uploaded collected data and files from a compromised host to its C2 server.(Citation: BlackBerry CostaRicto November 2020)
ODAgent

ODAgent can use an attacker-controlled OneDrive account to receive C2 commands and to exfiltrate files.(Citation: ESET OilRig Downloaders DEC 2023)
FlawedAmmyy

FlawedAmmyy has sent data collected from a compromised host to its C2 servers.(Citation: Korean FSI TA505 2020)
HOPLIGHT

HOPLIGHT has used its C2 channel to exfiltrate data.(Citation: US-CERT HOPLIGHT Apr 2019)

Cuckoo Stealer

Cuckoo Stealer can send information about the targeted system to C2 including captured passwords, OS build, hostname, and username.(Citation: Kandji Cuckoo April 2024)
MobileOrder

MobileOrder exfiltrates data to its C2 server over the same protocol as C2 communications.(Citation: Scarlet Mimic Jan 2016)
RDAT

RDAT can exfiltrate data gathered from the infected system via the established Exchange Web Services API C2 channel.(Citation: Unit42 RDAT July 2020)
Okrum

Data exfiltration is done by Okrum using the already opened channel with the C2 server.(Citation: ESET Okrum July 2019)
TRANSLATEXT

TRANSLATEXT has exfiltrated collected credentials to the C2 server.(Citation: Zscaler Kimsuky TRANSLATEXT)

Line Dancer

Line Dancer exfiltrates collected data via command and control channels.(Citation: Cisco ArcaneDoor 2024)
Mispadu

Mispadu can sends the collected financial data to the C2 server.(Citation: ESET Security Mispadu Facebook Ads 2019)(Citation: SCILabs Malteiro 2021)
Doki

Doki has used Ngrok to establish C2 and exfiltrate data.(Citation: Intezer Doki July 20)
MarkiRAT

MarkiRAT can exfiltrate locally stored data via its C2.(Citation: Kaspersky Ferocious Kitten Jun 2021)
PowerShower

PowerShower has used a PowerShell document stealer module to pack and exfiltrate .txt, .pdf, .xls or .doc files smaller than 5MB that were modified during the past two days.(Citation: Kaspersky Cloud Atlas August 2019)
NETEAGLE

NETEAGLE is capable of reading files over the C2 channel.(Citation: FireEye APT30)
CHIMNEYSWEEP

CHIMNEYSWEEP can upload collected files to the command-and-control server.(Citation: Mandiant ROADSWEEP August 2022)
Rising Sun

Rising Sun can send data gathered from the infected machine via HTTP POST request to the C2.(Citation: McAfee Sharpshooter December 2018)

Chrommme

Chrommme can exfiltrate collected data via C2.(Citation: ESET Gelsemium June 2021)
Flagpro

Flagpro has exfiltrated data to the C2 server.(Citation: NTT Security Flagpro new December 2021)

LightSpy

To exfiltrate data, LightSpy configures each module to send an obfuscated JSON blob to hardcoded URL endpoints or paths aligned to the module name.(Citation: Huntress LightSpy macOS 2024)
GoldMax

GoldMax can exfiltrate files over the existing C2 channel.(Citation: MSTIC NOBELIUM Mar 2021)(Citation: FireEye SUNSHUTTLE Mar 2021)
Line Runner

Line Runner utilizes HTTP to retrieve and exfiltrate information staged using Line Dancer.(Citation: Cisco ArcaneDoor 2024)
Pteranodon

Pteranodon exfiltrates screenshot files to its C2 server.(Citation: Palo Alto Gamaredon Feb 2017)
ROKRAT

ROKRAT can send collected files back over same C2 channel.(Citation: Talos ROKRAT)
Dyre

Dyre has the ability to send information staged on a compromised host externally to C2.(Citation: Malwarebytes Dyreza November 2015)
Bisonal

Bisonal has added the exfiltrated data to the URL over the C2 channel.(Citation: Talos Bisonal Mar 2020)

S-Type

S-Type has uploaded data and files from a compromised host to its C2 servers.(Citation: Cylance Dust Storm)
Lumma Stealer

Lumma Stealer has exfiltrated collected data over existing HTTP and HTTPS C2 channels.(Citation: Qualys LummaStealer 2024)(Citation: Fortinet LummaStealer 2024)
DustySky

DustySky has exfiltrated data to the C2 server.(Citation: Kaspersky MoleRATs April 2019)
LightNeuron

LightNeuron exfiltrates data over its email C2 channel.(Citation: ESET LightNeuron May 2019)
DarkGate

DarkGate uses existing command and control channels to retrieve captured cryptocurrency wallet credentials.(Citation: Ensilo Darkgate 2018)
Mongall

Mongall can upload files and information from a compromised host to its C2 server.(Citation: SentinelOne Aoqin Dragon June 2022)
SVCReady

SVCReady can send collected data in JSON format to its C2 server.(Citation: HP SVCReady Jun 2022)

ThiefQuest

ThiefQuest exfiltrates targeted file extensions in the /Users/ folder to the command and control server via unencrypted HTTP. Network packets contain a string with two pieces of information: a file path and the contents of the file in a base64 encoded string.(Citation: wardle evilquest partii)(Citation: reed thiefquest ransomware analysis)
FoggyWeb

FoggyWeb can remotely exfiltrate sensitive information from a compromised AD FS server.(Citation: MSTIC FoggyWeb September 2021)
Caterpillar WebShell

Caterpillar WebShell can upload files over the C2 channel.(Citation: ClearSky Lebanese Cedar Jan 2021)

Latrodectus

Latrodectus can exfiltrate encrypted system information to the C2 server.(Citation: Latrodectus APR 2024)(Citation: Bitsight Latrodectus June 2024)
CharmPower

CharmPower can exfiltrate gathered data to a hardcoded C2 URL via HTTP POST.(Citation: Check Point APT35 CharmPower January 2022)
EVILNUM

EVILNUM can upload files over the C2 channel from the infected host.(Citation: Prevailion EvilNum May 2020)

SMOKEDHAM

SMOKEDHAM has exfiltrated data to its C2 server.(Citation: FireEye SMOKEDHAM June 2021)
Sagerunex

Sagerunex encrypts collected system data then exfiltrates via existing command and control channels.(Citation: Cisco LotusBlossom 2025)
Metamorfo

Metamorfo can send the data it collects to the C2 server.(Citation: ESET Casbaneiro Oct 2019)

Bandook

Bandook can upload files from a victim's machine over the C2 channel.(Citation: CheckPoint Bandook Nov 2020)
MagicRAT

MagicRAT exfiltrates data via HTTP over existing command and control channels.(Citation: Cisco MagicRAT 2022)
KONNI

KONNI has sent data and files to its C2 server.(Citation: Talos Konni May 2017)(Citation: Malwarebytes Konni Aug 2021)(Citation: Malwarebytes KONNI Evolves Jan 2022)
DnsSystem

DnsSystem can exfiltrate collected data to its C2 server.(Citation: Zscaler Lyceum DnsSystem June 2022)
BLUELIGHT

BLUELIGHT has exfiltrated data over its C2 channel.(Citation: Volexity InkySquid BLUELIGHT August 2021)
KGH_SPY

KGH_SPY can exfiltrate collected information from the host to the C2 server.(Citation: Cybereason Kimsuky November 2020)
OopsIE

OopsIE can upload files from the victim's machine to its C2 server.(Citation: Unit 42 OopsIE! Feb 2018)
Attor

Attor has exfiltrated data over the C2 channel.(Citation: ESET Attor Oct 2019)
Imminent Monitor

Imminent Monitor has uploaded a file containing debugger logs, network information and system information to the C2.(Citation: QiAnXin APT-C-36 Feb2019)
LitePower

LitePower can send collected data, including screenshots, over its C2 channel.(Citation: Kaspersky WIRTE November 2021)
BoxCaon

BoxCaon uploads files and data from a compromised host over the existing C2 channel.(Citation: Checkpoint IndigoZebra July 2021)
NightClub

NightClub can use SMTP and DNS for file exfiltration and C2.(Citation: MoustachedBouncer ESET August 2023)
Crutch

Crutch can exfiltrate data over the primary C2 channel (Dropbox HTTP API).(Citation: ESET Crutch December 2020)
SDBbot

SDBbot has sent collected data from a compromised host to its C2 servers.(Citation: Korean FSI TA505 2020)
StrelaStealer

StrelaStealer exfiltrates collected email credentials via HTTP POST to command and control servers.(Citation: DCSO StrelaStealer 2022)(Citation: PaloAlto StrelaStealer 2024)(Citation: Fortgale StrelaStealer 2023)(Citation: IBM StrelaStealer 2024)
Grandoreiro

Grandoreiro can send data it retrieves to the C2 server.(Citation: ESET Grandoreiro April 2020)
Drovorub

Drovorub can exfiltrate files over C2 infrastructure.(Citation: NSA/FBI Drovorub August 2020)
Shark

Shark has the ability to upload files from the compromised host over a DNS or HTTP C2 channel.(Citation: ClearSky Siamesekitten August 2021)
SUGARDUMP

SUGARDUMP has sent stolen credentials and other data to its C2 server.(Citation: Mandiant UNC3890 Aug 2022)
Zebrocy

Zebrocy has exfiltrated data to the designated C2 server using HTTP POST requests.(Citation: Accenture SNAKEMACKEREL Nov 2018)(Citation: CISA Zebrocy Oct 2020)

LunarMail

LunarMail can use email image attachments with embedded data for receiving C2 commands and data exfiltration.(Citation: ESET Turla Lunar toolset May 2024)
HotCroissant

HotCroissant has the ability to download files from the infected host to the command and control (C2) server.(Citation: Carbon Black HotCroissant April 2020)
REvil

REvil can exfiltrate host and malware information to C2 servers.(Citation: Secureworks REvil September 2019)
Valak

Valak has the ability to exfiltrate data over the C2 channel.(Citation: Cybereason Valak May 2020)(Citation: Unit 42 Valak July 2020)(Citation: SentinelOne Valak June 2020)
OilBooster

OilBooster can use an actor-controlled OneDrive account for C2 communication and exfiltration.(Citation: ESET OilRig Downloaders DEC 2023)
Cyclops Blink

Cyclops Blink has the ability to upload exfiltrated files to a C2 server.(Citation: NCSC Cyclops Blink February 2022)
TajMahal

TajMahal has the ability to send collected files over its C2.(Citation: Kaspersky TajMahal April 2019)
Raccoon Stealer

Raccoon Stealer uses existing HTTP-based command and control channels for exfiltration.(Citation: S2W Racoon 2022)(Citation: Sekoia Raccoon1 2022)(Citation: Sekoia Raccoon2 2022)
IPsec Helper

IPsec Helper exfiltrates specific files through its command and control framework.(Citation: SentinelOne Agrius 2021)
Solar

Solar can send staged files to C2 for exfiltration.(Citation: ESET OilRig Campaigns Sep 2023)
GoldenSpy

GoldenSpy has exfiltrated host environment information to an external C2 domain via port 9006.(Citation: Trustwave GoldenSpy June 2020)

Carberp

Carberp has exfiltrated data via HTTP to already established C2 servers.(Citation: Prevx Carberp March 2011)(Citation: Trusteer Carberp October 2010)
MacMa

MacMa exfiltrates data from a supplied path over its C2 channel.(Citation: ESET DazzleSpy Jan 2022)
FunnyDream

FunnyDream can execute commands, including gathering user information, and send the results to C2.(Citation: Bitdefender FunnyDream Campaign November 2020)
SysUpdate

SysUpdate has exfiltrated data over its C2 channel.(Citation: Lunghi Iron Tiger Linux)
OutSteel

OutSteel can upload files from a compromised host over its C2 channel.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )

Mango

Mango can use its HTTP C2 channel for exfiltration.(Citation: ESET OilRig Campaigns Sep 2023)
Kessel

Kessel has exfiltrated information gathered from the infected system to the C2 server.(Citation: ESET ForSSHe December 2018)
GrimAgent

GrimAgent has sent data related to a compromise host over its C2 channel.(Citation: Group IB GrimAgent July 2021)
Pupy

Pupy can send screenshots files, keylogger data, files, and recorded audio back to the C2 server.(Citation: GitHub Pupy)
Lokibot

Lokibot has the ability to initiate contact with command and control (C2) to exfiltrate stolen data.(Citation: FSecure Lokibot November 2019)
CallMe

CallMe exfiltrates data to its C2 server over the same protocol as C2 communications.(Citation: Scarlet Mimic Jan 2016)
PoetRAT

PoetRAT has exfiltrated data over the C2 channel.(Citation: Talos PoetRAT October 2020)
Penquin

Penquin can execute the command code do_upload to send files to C2.(Citation: Leonardo Turla Penquin May 2020)
Cannon

Cannon exfiltrates collected data over email via SMTP/S and POP3/S C2 channels.(Citation: Unit42 Cannon Nov 2018)
CreepySnail

CreepySnail can connect to C2 for data exfiltration.(Citation: Microsoft POLONIUM June 2022)
Troll Stealer

Troll Stealer exfiltrates collected information to its command and control infrastructure.(Citation: S2W Troll Stealer 2024)
Ebury

Ebury exfiltrates a list of outbound and inbound SSH sessions using OpenSSH's `known_host` files and `wtmp` records. Ebury can exfiltrate SSH credentials through custom DNS queries or use the command `Xcat` to send the process's ssh session's credentials to the C2 server.(Citation: ESET Windigo Mar 2014)(Citation: ESET Ebury May 2024)

njRAT

njRAT has used HTTP to receive stolen information from the infected machine.(Citation: Trend Micro njRAT 2018)

Manjusaka

Manjusaka data exfiltration takes place over HTTP channels.(Citation: Talos Manjusaka 2022)
IceApple

IceApple's Multi File Exfiltrator module can exfiltrate multiple files from a compromised host as an HTTP response over C2.(Citation: CrowdStrike IceApple May 2022)

metaMain

metaMain can upload collected files and data to its C2 server.(Citation: SentinelLabs Metador Technical Appendix Sept 2022)
SideTwist

SideTwist has exfiltrated data over its C2 channel.(Citation: Check Point APT34 April 2021)
MechaFlounder

MechaFlounder has the ability to send the compromised user's account name and hostname within a URL to C2.(Citation: Unit 42 MechaFlounder March 2019)
Psylo

Psylo exfiltrates data to its C2 server over the same protocol as C2 communications.(Citation: Scarlet Mimic Jan 2016)
Mis-Type

Mis-Type has transmitted collected files and data to its C2 server.(Citation: Cylance Dust Storm)
XCSSET

XCSSET retrieves files that match the pattern defined in the INAME_QUERY variable within the user's home directory, such as `*test.txt`, and are below a specific size limit. It then archives the files and exfiltrates the data over its C2 channel.(Citation: trendmicro xcsset xcode project 2020)(Citation: Microsoft March 2025 XCSSET)
Octopus

Octopus has uploaded stolen files and data from a victim's machine over its C2 channel.(Citation: Securelist Octopus Oct 2018)
AppleJeus

AppleJeus has exfiltrated collected host information to a C2 server.(Citation: CISA AppleJeus Feb 2021)
STARWHALE

STARWHALE can exfiltrate collected data to its C2 servers.(Citation: DHS CISA AA22-055A MuddyWater February 2022)
Industroyer

Industroyer sends information about hardware profiles and previously-received commands back to the C2 server in a POST-request.(Citation: ESET Industroyer)
Kevin

Kevin can send data from the victim host through a DNS C2 channel.(Citation: Kaspersky Lyceum October 2021)
Goopy

Goopy has the ability to exfiltrate data over the Microsoft Outlook C2 channel.(Citation: Cybereason Cobalt Kitty 2017)
Remexi

Remexi performs exfiltration over BITSAdmin, which is also used for the C2 channel.(Citation: Securelist Remexi Jan 2019)
Astaroth

Astaroth exfiltrates collected information from its r1.log file to the external C2 server. (Citation: Cybereason Astaroth Feb 2019)
QakBot

QakBot can send stolen information to C2 nodes including passwords, accounts, and emails.(Citation: Kaspersky QakBot September 2021)
BACKSPACE

Adversaries can direct BACKSPACE to upload files to the C2 Server.(Citation: FireEye APT30)
ADVSTORESHELL

ADVSTORESHELL exfiltrates data over the same channel used for C2.(Citation: ESET Sednit Part 2)
StrifeWater

StrifeWater can send data and files from a compromised host to its C2 server.(Citation: Cybereason StrifeWater Feb 2022)
WarzoneRAT

WarzoneRAT can send collected victim data to its C2 server.(Citation: Check Point Warzone Feb 2020)
SLOTHFULMEDIA

SLOTHFULMEDIA has sent system information to a C2 server via HTTP and HTTPS POST requests.(Citation: CISA MAR SLOTHFULMEDIA October 2020)
Frankenstein

Frankenstein has collected information via Empire, which is automatically sent the data back to the adversary's C2.(Citation: Talos Frankenstein June 2019)
Operation Wocao

Operation Wocao has used the Xserver backdoor to exfiltrate data.(Citation: FoxIT Wocao December 2019)
Lazarus Group

Lazarus Group has exfiltrated data and files over a C2 channel through its various tools and malware.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Loaders)(Citation: McAfee Lazarus Resurfaces Feb 2018)
Gamaredon Group

A Gamaredon Group file stealer can transfer collected files to a hardcoded C2 server.(Citation: Palo Alto Gamaredon Feb 2017)
APT39

APT39 has exfiltrated stolen victim data through C2 communications.(Citation: FBI FLASH APT39 September 2020)
MuddyWater

MuddyWater has used C2 infrastructure to receive exfiltrated data.(Citation: Reaqta MuddyWater November 2017)
Leviathan

Leviathan has exfiltrated data over its C2 channel.(Citation: CISA AA21-200A APT40 July 2021)
ZIRCONIUM

ZIRCONIUM has exfiltrated files via the Dropbox API C2.(Citation: Zscaler APT31 Covid-19 October 2020)
BlackByte

BlackByte transmitted collected victim host information via HTTP POST to command and control infrastructure.(Citation: Microsoft BlackByte 2023)
Wizard Spider

Wizard Spider has exfiltrated domain credentials and network enumeration information over command and control (C2) channels.(Citation: CrowdStrike Grim Spider May 2019)(Citation: Mandiant FIN12 Oct 2021)
Confucius

Confucius has exfiltrated stolen files to its C2 server.(Citation: TrendMicro Confucius APT Aug 2021)
APT32

APT32's backdoor has exfiltrated data using the already opened channel with its C&C server.(Citation: ESET OceanLotus Mar 2019)
Higaisa

Higaisa exfiltrated data over its C2 channel.(Citation: Zscaler Higaisa 2020)
LuminousMoth

LuminousMoth has used malware that exfiltrates stolen data to its C2 server.(Citation: Kaspersky LuminousMoth July 2021)
Chimera

Chimera has used Cobalt Strike C2 beacons for data exfiltration.(Citation: NCC Group Chimera January 2021)

Kimsuky

Kimsuky has exfiltrated data over its C2 channel.(Citation: Securelist Kimsuky Sept 2013)(Citation: Talos Kimsuky Nov 2021)
Sandworm Team

Sandworm Team has sent system information to its C2 server using HTTP.(Citation: ESET Telebots Dec 2016)

Ke3chang

Ke3chang transferred compressed and encrypted RAR files containing exfiltration through the established backdoor command and control channel during operations.(Citation: Mandiant Operation Ke3chang November 2014)
Agrius

Agrius exfiltrated staged data using tools such as Putty and WinSCP, communicating with command and control servers.(Citation: Unit42 Agrius 2023)
APT3

APT3 has a tool that exfiltrates data over the C2 channel.(Citation: FireEye Clandestine Fox)
Winter Vivern

Winter Vivern delivered a PowerShell script capable of recursively scanning victim machines looking for various file types before exfiltrating identified files via HTTP.(Citation: CERT-UA WinterVivern 2023)
CURIUM

CURIUM has used IMAP and SMTPS for exfiltration via tools such as IMAPLoader.(Citation: PWC Yellow Liderc 2023)
GALLIUM

GALLIUM used Web shells and HTRAN for C2 and to exfiltrate data.(Citation: Cybereason Soft Cell June 2019)
Stealth Falcon

After data is collected by Stealth Falcon malware, it is exfiltrated over the existing C2 channel.(Citation: Citizen Lab Stealth Falcon May 2016)

Контрмеры
Контрмера Описание
Network Intrusion Prevention

Use intrusion detection signatures to block traffic at network boundaries.
Exfiltration Over Command and Control Channel Mitigation

Mitigations for command and control apply. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool command and control signatures over time or construct protocols in such a way to avoid detection by common defensive tools. (Citation: University of Birmingham C2)
Data Loss Prevention

Data Loss Prevention (DLP) involves implementing strategies and technologies to identify, categorize, monitor, and control the movement of sensitive data within an organization. This includes protecting data formats indicative of Personally Identifiable Information (PII), intellectual property, or financial data from unauthorized access, transmission, or exfiltration. DLP solutions integrate with network, endpoint, and cloud platforms to enforce security policies and prevent accidental or malicious data leaks. (Citation: PurpleSec Data Loss Prevention) This mitigation can be implemented through the following measures: Sensitive Data Categorization: - Use Case: Identify and classify data based on sensitivity (e.g., PII, financial data, trade secrets). - Implementation: Use DLP solutions to scan and tag files containing sensitive information using predefined patterns, such as Social Security Numbers or credit card details. Exfiltration Restrictions: - Use Case: Prevent unauthorized transmission of sensitive data. - Implementation: Enforce policies to block unapproved email attachments, unauthorized USB usage, or unencrypted data uploads to cloud storage. Data-in-Transit Monitoring: - Use Case: Detect and prevent the transmission of sensitive data over unapproved channels. - Implementation: Deploy network-based DLP tools to inspect outbound traffic for sensitive content (e.g., financial records or PII) and block unapproved transmissions. Endpoint Data Protection: - Use Case: Monitor and control sensitive data usage on endpoints. - Implementation: Use endpoint-based DLP agents to block copy-paste actions of sensitive data and unauthorized printing or file sharing. Cloud Data Security: - Use Case: Protect data stored in cloud platforms. - Implementation: Integrate DLP with cloud storage platforms like Google Drive, OneDrive, or AWS to monitor and restrict sensitive data sharing or downloads.

Обнаружение

Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)

Ссылки

  1. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  2. Mike Stokkel et al. (2024, July 18). APT41 Has Arisen From the DUST. Retrieved September 16, 2024.
  3. Radu Tudorica. (2021, July 12). A Fresh Look at Trickbot’s Ever-Improving VNC Module. Retrieved September 28, 2021.
  4. Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020.
  5. Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020.
  6. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
  7. ClearSky Research Team. (2020, August 13). Operation 'Dream Job' Widespread North Korean Espionage Campaign. Retrieved December 20, 2021.
  8. Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022.
  9. Santos, R. (2022, January 26). KONNI evolves into stealthier RAT. Retrieved April 13, 2022.
  10. Hawley, S. et al. (2023, February 2). Turla: A Galaxy of Opportunity. Retrieved May 15, 2023.
  11. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.
  12. Marc-Etienne M.Léveillé. (2024, May 1). Ebury is alive but unseen. Retrieved May 21, 2024.
  13. hasherezade. (2015, November 4). A Technical Look At Dyreza. Retrieved June 15, 2020.
  14. Lechtik, M, and etl. (2021, July 14). LuminousMoth APT: Sweeping attacks for the chosen few. Retrieved October 20, 2022.
  15. Jurčacko, F. (2024, May 15). To the Moon and back(doors): Lunar landing in diplomatic missions. Retrieved June 26, 2024.
  16. FireEye. (2021, June 16). Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise. Retrieved September 22, 2021.
  17. M.Léveillé, M., Cherepanov, A.. (2022, January 25). Watering hole deploys new macOS malware, DazzleSpy, in Asia. Retrieved May 6, 2022.
  18. Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022.
  19. Yamout, M. (2021, November 29). WIRTE’s campaign in the Middle East ‘living off the land’ since at least 2019. Retrieved February 1, 2022.
  20. Kwiatkoswki, I. and Delcher, P. (2021, September 29). DarkHalo After SolarWinds: the Tomiris connection. Retrieved December 27, 2021.
  21. Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020.
  22. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  23. Patil, S. and Williams, M.. (2019, June 5). Government Sector in Central Asia Targeted With New HAWKBALL Backdoor Delivered via Microsoft Office Vulnerabilities. Retrieved June 20, 2019.
  24. Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021.
  25. Hromcova, Z. and Burgher, A. (2023, December 14). OilRig’s persistent attacks using cloud service-powered downloaders. Retrieved November 26, 2024.
  26. Beek, C. (2020, November 5). Operation North Star: Behind The Scenes. Retrieved December 20, 2021.
  27. Cara Lin, Fortinet. (2024, January 8). Deceptive Cracked Software Spreads Lumma Variant on YouTube. Retrieved March 22, 2025.
  28. ESET Research. (2019, October 3). Casbaneiro: peculiarities of this banking Trojan that affects Brazil and Mexico. Retrieved September 23, 2021.
  29. Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.
  30. Threat Intelligence Team. (2021, August 23). New variant of Konni malware used in campaign targetting Russia. Retrieved January 5, 2022.
  31. Adi Zeligson & Rotem Kerner. (2018, November 13). Enter The DarkGate - New Cryptocurrency Mining and Ransomware Campaign. Retrieved February 9, 2024.
  32. Salem, E. (2019, February 13). ASTAROTH MALWARE USES LEGITIMATE OS AND ANTIVIRUS PROCESSES TO STEAL PASSWORDS AND PERSONAL DATA. Retrieved April 17, 2019.
  33. Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023.
  34. Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019.
  35. Sherstobitoff, R. (2018, March 08). Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant. Retrieved May 18, 2018.
  36. CrowdStrike. (2022, May). ICEAPPLE: A NOVEL INTERNET INFORMATION SERVICES (IIS) POST-EXPLOITATION FRAMEWORK. Retrieved June 27, 2022.
  37. Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021.
  38. GReAT. (2019, August 12). Recent Cloud Atlas activity. Retrieved May 8, 2020.
  39. Kasuya, M. (2020, January 8). Threat Spotlight: Amadey Bot Targets Non-Russian Users. Retrieved July 14, 2022.
  40. Fishbein, N., Kajiloti, M.. (2020, July 28). Watch Your Containers: Doki Infecting Docker Servers in the Cloud. Retrieved March 30, 2021.
  41. Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020.
  42. Binary Defense. (n.d.). Emotet Evolves With new Wi-Fi Spreader. Retrieved September 8, 2023.
  43. Leonardo. (2020, May 29). MALWARE TECHNICAL INSIGHT TURLA “Penquin_x64”. Retrieved March 11, 2021.
  44. ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020.
  45. ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
  46. Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014.
  47. Check Point. (2020, November 26). Bandook: Signed & Delivered. Retrieved May 31, 2021.
  48. Cybereason Nocturnus. (2022, February 1). StrifeWater RAT: Iranian APT Moses Staff Adds New Trojan to Ransomware Operations. Retrieved August 15, 2022.
  49. Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 25, 2023.
  50. Dumont, R., M.Léveillé, M., Porcher, H. (2018, December 1). THE DARK SIDE OF THE FORSSHE A landscape of OpenSSH backdoors. Retrieved July 16, 2020.
  51. Proofpoint Threat Research and Team Cymru S2 Threat Research. (2024, April 4). Latrodectus: This Spider Bytes Like Ice . Retrieved May 31, 2024.
  52. GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020.
  53. ClearSky Cyber Security . (2021, August). New Iranian Espionage Campaign By “Siamesekitten” - Lyceum. Retrieved June 6, 2022.
  54. Kohler, A. and Lopez, C. (2024, April 30). Malware: Cuckoo Behaves Like Cross Between Infostealer and Spyware. Retrieved August 20, 2024.
  55. BishopFox. (n.d.). Sliver Download. Retrieved September 16, 2021.
  56. Hromcova, Z. and Burgher, A. (2023, September 21). OilRig’s Outer Space and Juicy Mix: Same ol’ rig, new drill pipes. Retrieved November 21, 2024.
  57. FBI. (2020, September 17). Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07. Retrieved December 10, 2020.
  58. Joey Chen, Cisco Talos. (2025, February 27). Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools. Retrieved March 15, 2025.
  59. Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022.
  60. Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021.
  61. MalwareBytes Threat Intelligence Team. (2022, August 3). Woody RAT: A new feature-rich malware spotted in the wild. Retrieved December 6, 2022.
  62. Bilodeau, O., Bureau, M., Calvet, J., Dorais-Joncas, A., Léveillé, M., Vanheuverzwijn, B. (2014, March 18). Operation Windigo – the vivisection of a large Linux server‑side credential‑stealing malware campaign. Retrieved February 10, 2021.
  63. CISA. (2021, July 19). (AA21-200A) Joint Cybersecurity Advisory – Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department. Retrieved August 12, 2021.
  64. Fortgale. (2023, September 18). StrelaStealer Malware Analysis. Retrieved December 31, 2024.
  65. ESET Security. (2019, November 19). Mispadu: Advertisement for a discounted Unhappy Meal. Retrieved March 13, 2024.
  66. Schlapfer, Patrick. (2022, June 6). A New Loader Gets Ready. Retrieved December 13, 2022.
  67. Sherstobitoff, R., Malhotra, A. (2018, April 24). Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide. Retrieved May 16, 2018.
  68. Jenkins, L. at al. (2022, August 4). ROADSWEEP Ransomware - Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations. Retrieved August 6, 2024.
  69. Golo Mühr, Joe Fasulo & Charlotte Hammond, IBM X-Force. (2024, November 12). Strela Stealer: Today’s invoice is tomorrow’s phish. Retrieved December 31, 2024.
  70. Nicolas Verdier. (n.d.). Retrieved January 29, 2018.
  71. N. Baisini. (2022, July 13). Transparent Tribe begins targeting education sector in latest campaign. Retrieved September 22, 2022.
  72. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.
  73. Legezo, D. (2019, January 30). Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities. Retrieved April 17, 2019.
  74. Adamitis, D. (2020, May 6). Phantom in the Command Shell. Retrieved November 17, 2024.
  75. Caragay, R. (2015, March 26). URSNIF: The Multifaceted Malware. Retrieved June 5, 2019.
  76. Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020.
  77. Pierre Le Bourhis, Quentin Bourgue, & Sekoia TDR. (2022, June 29). Raccoon Stealer v2 - Part 2: In-depth analysis. Retrieved August 1, 2024.
  78. Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018.
  79. SCILabs. (2021, December 23). Cyber Threat Profile Malteiro. Retrieved March 13, 2024.
  80. Benjamin Chang, Goutam Tripathy, Pranay Kumar Chhaparwal, Anmol Maurya & Vishwa Thothathri, Palo Alto Networks. (2024, March 22). Large-Scale StrelaStealer Campaign in Early 2024. Retrieved December 31, 2024.
  81. Shivtarkar, N. and Kumar, A. (2022, June 9). Lyceum .NET DNS Backdoor. Retrieved June 23, 2022.
  82. Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019.
  83. S2W TALON. (2022, June 16). Raccoon Stealer is Back with a New Version. Retrieved August 1, 2024.
  84. Alex Turing, Hui Wang. (2021, April 28). RotaJakiro: A long live secret backdoor with 0 VT detection. Retrieved June 14, 2023.
  85. Or Chechik, Tom Fakterman, Daniel Frank & Assaf Dahan. (202