Skip to content


CORALDECK is an exfiltration tool used by APT37. 1

Item Value
ID S0212
Associated Names
Version 1.1
Created 18 April 2018
Last Modified 30 March 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1560 Archive Collected Data -
enterprise T1560.001 Archive via Utility CORALDECK has created password-protected RAR, WinImage, and zip archives to be exfiltrated.1
enterprise T1048 Exfiltration Over Alternative Protocol -
enterprise T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol CORALDECK has exfiltrated data in HTTP POST headers.1
enterprise T1083 File and Directory Discovery CORALDECK searches for specified files.1

Groups That Use This Software

ID Name References
G0067 APT37 1


Back to top