Skip to content

T1001 Data Obfuscation

Adversaries may obfuscate command and control traffic to make it more difficult to detect.2 Command and control (C2) communications are hidden (but not necessarily encrypted) in an attempt to make the content more difficult to discover or decipher and to make the communication less conspicuous and hide commands from being seen. This encompasses many methods, such as adding junk data to protocol traffic, using steganography, or impersonating legitimate protocols.

Item Value
ID T1001
Sub-techniques T1001.001, T1001.002, T1001.003
Tactics TA0011
Platforms ESXi, Linux, Windows, macOS
Version 1.2
Created 31 May 2017
Last Modified 24 October 2025

Procedure Examples

ID Name Description
S1111 DarkGate DarkGate will retrieved encrypted commands from its command and control server for follow-on actions such as cryptocurrency mining.8
S0381 FlawedAmmyy FlawedAmmyy may obfuscate portions of the initial C2 handshake.11
S1120 FRAMESTING FRAMESTING can send and receive zlib compressed data within POST requests.9
S1044 FunnyDream FunnyDream can send compressed and obfuscated packets to C2.2
G0047 Gamaredon Group Gamaredon Group has used obfuscated VBScripts with randomly generated variable names and concatenated strings.13
S1100 Ninja Ninja has the ability to modify headers and URL paths to hide malicious traffic in HTTP requests.6
S0439 Okrum Okrum leverages the HTTP protocol for C2 communication, while hiding the actual messages in the Cookie and Set-Cookie headers of the HTTP requests.4
C0014 Operation Wocao During Operation Wocao, threat actors encrypted IP addresses used for “Agent” proxy hops with RC4.14
S0495 RDAT RDAT has used encoded data within subdomains as AES ciphertext to communicate from the host to the C2.10
S0610 SideTwist SideTwist can embed C2 responses in the source code of a fake Flickr webpage.12
S0533 SLOTHFULMEDIA SLOTHFULMEDIA has hashed a string containing system information prior to exfiltration via POST requests.5
S1183 StrelaStealer StrelaStealer encrypts the payload of HTTP POST communications using the same XOR key used for the malware’s DLL payload.3
S0682 TrailBlazer TrailBlazer can masquerade its C2 traffic as legitimate Google Notifications HTTP requests.7

Mitigations

ID Mitigation Description
M1031 Network Intrusion Prevention Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate some obfuscation activity at the network level.

References

  1. Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016. 

  2. Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022. 

  3. DCSO CyTec Blog. (2022, November 8). #ShortAndMalicious: StrelaStealer aims for mail credentials. Retrieved December 31, 2024. 

  4. Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020. 

  5. DHS/CISA, Cyber National Mission Force. (2020, October 1). Malware Analysis Report (MAR) MAR-10303705-1.v1 – Remote Access Trojan: SLOTHFULMEDIA. Retrieved October 2, 2020. 

  6. Dedola, G. (2022, June 21). APT ToddyCat. Retrieved January 3, 2024. 

  7. CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022. 

  8. Adi Zeligson & Rotem Kerner. (2018, November 13). Enter The DarkGate - New Cryptocurrency Mining and Ransomware Campaign. Retrieved February 9, 2024. 

  9. Lin, M. et al. (2024, January 31). Cutting Edge, Part 2: Investigating Ivanti Connect Secure VPN Zero-Day Exploitation. Retrieved February 27, 2024. 

  10. Falcone, R. (2020, July 22). OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory. Retrieved July 28, 2020. 

  11. Proofpoint Staff. (2018, March 7). Leaked Ammyy Admin Source Code Turned into Malware. Retrieved May 28, 2019. 

  12. Check Point. (2021, April 8). Iran’s APT34 Returns with an Updated Arsenal. Retrieved May 5, 2021. 

  13. Unit 42. (2022, December 20). Russia’s Trident Ursa (aka Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine. Retrieved September 12, 2024. 

  14. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.