Skip to content

T1030 Data Transfer Size Limits

An adversary may exfiltrate data in fixed size chunks instead of whole files or limit packet sizes below certain thresholds. This approach may be used to avoid triggering network data transfer threshold alerts.

Item Value
ID T1030
Sub-techniques
Tactics TA0010
Platforms ESXi, Linux, Windows, macOS
Version 1.1
Created 31 May 2017
Last Modified 24 October 2025

Procedure Examples

ID Name Description
S0622 AppleSeed AppleSeed has divided files if the size is 0x1000000 bytes or more.11
G0007 APT28 APT28 has split archived exfiltration files into chunks smaller than 1MB.21
G0096 APT41 APT41 transfers post-exploitation files dividing the payload into fixed-size chunks to evade detection.22
C0015 C0015 During C0015, the threat actors limited Rclone’s bandwidth setting during exfiltration.3
C0026 C0026 During C0026, the threat actors split encrypted archives containing stolen files and information into 3MB parts prior to exfiltration.23
S0030 Carbanak Carbanak exfiltrates data in compressed chunks if a message is larger than 4096 bytes .15
S0154 Cobalt Strike Cobalt Strike will break large data sets into smaller chunks for exfiltration.12
S0170 Helminth Helminth splits data into chunks up to 23 bytes and sends the data in DNS queries to its C2 server.16
S0487 Kessel Kessel can split the data to be exilftrated into chunks that will fit in subdomains of DNS queries.7
S1020 Kevin Kevin can exfiltrate data to the C2 server in 27-character chunks.8
G1014 LuminousMoth LuminousMoth has split archived files into multiple parts to bypass a 5MB limit.19
S1141 LunarWeb LunarWeb can split exfiltrated data that exceeds 1.33 MB in size into multiple random sized parts between 384 and 512 KB.14
S0699 Mythic Mythic supports custom chunk sizes used to upload/download files.2
S0644 ObliqueRAT ObliqueRAT can break large files of interest into smaller chunks to prepare them for exfiltration.9
S0264 OopsIE OopsIE exfiltrates command output and collected files to its C2 server in 1500-byte blocks.5
G1040 Play Play has split victims’ files into chunks for exfiltration.1718
S0150 POSHSPY POSHSPY uploads data in 2048-byte chunks.6
S1040 Rclone The Rclone “chunker” overlay supports splitting large files in smaller chunks during upload to circumvent size limits.43
S0495 RDAT RDAT can upload a file via HTTP POST response to the C2 split into 102,400-byte portions. RDAT can also download data from the C2 which is split into 81,920-byte portions.13
S1200 StealBit StealBit can be configured to exfiltrate files at a specified rate to evade network detection mechanisms.10
G0027 Threat Group-3390 Threat Group-3390 actors have split RAR files for exfiltration into parts.20

Mitigations

ID Mitigation Description
M1031 Network Intrusion Prevention Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary command and control infrastructure and malware can be used to mitigate activity at the network level.

References

  1. Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016. 

  2. Thomas, C. (n.d.). Mythc Documentation. Retrieved March 25, 2022. 

  3. DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022. 

  4. Nick Craig-Wood. (n.d.). Rclone syncs your files to cloud storage. Retrieved August 30, 2022. 

  5. Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018. 

  6. Dunwoody, M.. (2017, April 3). Dissecting One of APT29’s Fileless WMI and PowerShell Backdoors (POSHSPY). Retrieved April 5, 2017. 

  7. Dumont, R., M.Léveillé, M., Porcher, H. (2018, December 1). THE DARK SIDE OF THE FORSSHE A landscape of OpenSSH backdoors. Retrieved July 16, 2020. 

  8. Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022. 

  9. Malhotra, A. (2021, March 2). ObliqueRAT returns with new campaign using hijacked websites. Retrieved September 2, 2021. 

  10. Cybereason Global SOC Team. (n.d.). THREAT ANALYSIS REPORT: Inside the LockBit Arsenal - The StealBit Exfiltration Tool. Retrieved January 29, 2025. 

  11. KISA. (2021). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 8, 2024. 

  12. Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017. 

  13. Falcone, R. (2020, July 22). OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory. Retrieved July 28, 2020. 

  14. Jurčacko, F. (2024, May 15). To the Moon and back(doors): Lunar landing in diplomatic missions. Retrieved June 26, 2024. 

  15. Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018. 

  16. Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017. 

  17. CISA. (2023, December 18). #StopRansomware: Play Ransomware AA23-352A. Retrieved September 24, 2024. 

  18. Trend Micro Research. (2023, July 21). Ransomware Spotlight: Play. Retrieved September 24, 2024. 

  19. Botezatu, B and etl. (2021, July 21). LuminousMoth - PlugX, File Exfiltration and Persistence Revisited. Retrieved October 20, 2022. 

  20. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018. 

  21. NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021. 

  22. Nikita Rostovcev. (2022, August 18). APT41 World Tour 2021 on a tight schedule. Retrieved February 22, 2024. 

  23. Hawley, S. et al. (2023, February 2). Turla: A Galaxy of Opportunity. Retrieved May 15, 2023.