Skip to content

T1020 Automated Exfiltration

Adversaries may exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection.1

When automated exfiltration is used, other exfiltration techniques likely apply as well to transfer the information out of the network, such as Exfiltration Over C2 Channel and Exfiltration Over Alternative Protocol.

Item Value
ID T1020
Sub-techniques T1020.001
Tactics TA0010
Platforms Linux, Network Devices, Windows, macOS
Version 1.3
Created 31 May 2017
Last Modified 24 October 2025

Procedure Examples

ID Name Description
C0046 ArcaneDoor ArcaneDoor included scripted exfiltration of collected data.33
S0438 Attor Attor has a file uploader plugin that automatically exfiltrates the collected data and log files to the C2 server.23
S0050 CosmicDuke CosmicDuke exfiltrates collected files automatically over FTP to remote servers.22
S0538 Crutch Crutch has automatically exfiltrated stolen files to Dropbox.21
S0600 Doki Doki has used a script that gathers information from a hardcoded list of IP addresses and uploads to an Ngrok URL.7
S0377 Ebury If credentials are not collected for two weeks, Ebury encrypts the credentials using a public key and sends them via UDP to an IP address located in the DNS TXT record.1213
S0363 Empire Empire has the ability to automatically send collected data back to the threat actors’ C2.2
C0001 Frankenstein During Frankenstein, the threat actors collected information via Empire, which was automatically sent back to the adversary’s C2.2
G0047 Gamaredon Group Gamaredon Group has used modules that automatically upload gathered documents to the C2 server.1
S1211 Hannotog Hannotog can upload encyrpted data for exfiltration.18
G0004 Ke3chang Ke3chang has performed frequent and scheduled data exfiltration from compromised networks.28
S0395 LightNeuron LightNeuron can be configured to automatically exfiltrate files under a specified directory.6
S0409 Machete Machete’s collected files are exfiltrated automatically to remote servers.11
S1017 OutSteel OutSteel can automatically upload collected files to its C2 server.9
S0643 Peppy Peppy has the ability to automatically exfiltrate files and keylogs.10
S1148 Raccoon Stealer Raccoon Stealer will automatically collect and exfiltrate data identified in received configuration files from command and control nodes.161514
G1039 RedCurl RedCurl has used batch scripts to exfiltrate data.2930
S0090 Rover Rover automatically searches for files on local drives based on a predefined list of file extensions and sends them to the command and control server every 60 minutes. Rover also automatically sends keylogger files and screenshots to the C2 server on a regular timeframe.8
C0059 Salesforce Data Exfiltration During Salesforce Data Exfiltration, threat actors used API queries to automatically exfiltrate large volumes of data.34
S0445 ShimRatReporter ShimRatReporter sent collected system and network information compiled into a report to an adversary-controlled C2.3
G0121 Sidewinder Sidewinder has configured tools to automatically send collected files to attacker controlled servers.27
S1166 Solar Solar can automatically exfitrate files from compromised systems.17
S1183 StrelaStealer StrelaStealer automatically sends gathered email credentials following collection to command and control servers via HTTP POST.2425
S0491 StrongPity StrongPity can automatically exfiltrate collected documents to the C2 server.45
S0467 TajMahal TajMahal has the ability to manage an automated queue of egress files and commands sent to its C2.19
S0131 TINYTYPHON When a document is found matching one of the extensions in the configuration, TINYTYPHON uploads it to the C2 server.26
G0081 Tropic Trooper Tropic Trooper has used a copy function to automatically exfiltrate sensitive data from air-gapped systems using USB storage.32
S0136 USBStealer USBStealer automatically exfiltrates collected files via removable media when an infected device connects to an air-gapped victim machine after initially being connected to an internet-enabled victim machine. 20
G1035 Winter Vivern Winter Vivern delivered a PowerShell script capable of recursively scanning victim machines looking for various file types before exfiltrating identified files via HTTP.31

References

  1. Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020. 

  2. Adamitis, D. et al. (2019, June 4). It’s alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020. 

  3. Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020. 

  4. Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020. 

  5. Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020. 

  6. Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019. 

  7. Fishbein, N., Kajiloti, M.. (2020, July 28). Watch Your Containers: Doki Infecting Docker Servers in the Cloud. Retrieved March 30, 2021. 

  8. Ray, V., Hayashi, K. (2016, February 29). New Malware ‘Rover’ Targets Indian Ambassador to Afghanistan. Retrieved February 29, 2016. 

  9. Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022. 

  10. Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016. 

  11. ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019. 

  12. Bilodeau, O., Bureau, M., Calvet, J., Dorais-Joncas, A., Léveillé, M., Vanheuverzwijn, B. (2014, March 18). Operation Windigo – the vivisection of a large Linux server‑side credential‑stealing malware campaign. Retrieved February 10, 2021. 

  13. Marc-Etienne M.Léveillé. (2024, May 1). Ebury is alive but unseen. Retrieved May 21, 2024. 

  14. Pierre Le Bourhis, Quentin Bourgue, & Sekoia TDR. (2022, June 29). Raccoon Stealer v2 - Part 2: In-depth analysis. Retrieved August 1, 2024. 

  15. Quentin Bourgue, Pierre le Bourhis, & Sekoia TDR. (2022, June 28). Raccoon Stealer v2 - Part 1: The return of the dead. Retrieved August 1, 2024. 

  16. S2W TALON. (2022, June 16). Raccoon Stealer is Back with a New Version. Retrieved August 1, 2024. 

  17. Hromcova, Z. and Burgher, A. (2023, September 21). OilRig’s Outer Space and Juicy Mix: Same ol’ rig, new drill pipes. Retrieved November 21, 2024. 

  18. Symntec Threat Hunter Team. (2022, November 12). Billbug: State-sponsored Actor Targets Cert Authority, Government Agencies in Multiple Asian Countries. Retrieved March 15, 2025. 

  19. GReAT. (2019, April 10). Project TajMahal – a sophisticated new APT framework. Retrieved October 14, 2019. 

  20. Calvet, J. (2014, November 11). Sednit Espionage Group Attacking Air-Gapped Networks. Retrieved January 4, 2017. 

  21. Faou, M. (2020, December 2). Turla Crutch: Keeping the “back door” open. Retrieved December 4, 2020. 

  22. F-Secure Labs. (2014, July). COSMICDUKE Cosmu with a twist of MiniDuke. Retrieved July 3, 2014. 

  23. Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020. 

  24. DCSO CyTec Blog. (2022, November 8). #ShortAndMalicious: StrelaStealer aims for mail credentials. Retrieved December 31, 2024. 

  25. Golo Mühr, Joe Fasulo & Charlotte Hammond, IBM X-Force. (2024, November 12). Strela Stealer: Today’s invoice is tomorrow’s phish. Retrieved December 31, 2024. 

  26. Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016. 

  27. Hegel, T. (2021, January 13). A Global Perspective of the SideWinder APT. Retrieved January 27, 2021. 

  28. MSTIC. (2021, December 6). NICKEL targeting government organizations across Latin America and Europe. Retrieved March 18, 2022. 

  29. Group-IB. (2020, August). RedCurl: The Pentest You Didn’t Know About. Retrieved August 9, 2024. 

  30. Group-IB. (2021, November). RedCurl: The Awakening. Retrieved August 14, 2024. 

  31. CERT-UA. (2023, February 1). UAC-0114 aka Winter Vivern to target Ukrainian and Polish GOV entities (CERT-UA#5909). Retrieved July 29, 2024. 

  32. Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020. 

  33. Canadian Centre for Cyber Security. (2024, April 24). Cyber Activity Impacting CISCO ASA VPNs. Retrieved January 6, 2025. 

  34. FBI Cyber Division. (2025, September 12). Cyber Criminal Groups UNC6040 and UNC6395 Compromising Salesforce Instances for Data Theft and Extortion. Retrieved October 22, 2025.