Skip to content

T1481.001 Dead Drop Resolver

Adversaries may use an existing, legitimate external Web service to host information that points to additional command and control (C2) infrastructure. Adversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redirected by these resolvers.

Popular websites and social media, acting as a mechanism for C2, may give a significant amount of cover. This is due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.

Use of a dead drop resolver may also protect back-end C2 infrastructure from discovery through malware binary analysis, or enable operational resiliency (since this infrastructure may be dynamically changed).

Item Value
ID T1481.001
Sub-techniques T1481.001, T1481.002, T1481.003
Tactics TA0037
Platforms Android, iOS
Version 1.1
Created 06 April 2022
Last Modified 20 March 2023

Procedure Examples

ID Name Description
S0310 ANDROIDOS_ANSERVER.A ANDROIDOS_ANSERVER.A uses encrypted content within a blog site for part of its command and control. Specifically, the encrypted content contains URLs for other servers to be used for other aspects of command and control.4
S0422 Anubis Anubis can retrieve the C2 address from Twitter and Telegram.32
S0539 Red Alert 2.0 Red Alert 2.0 can fetch a backup C2 domain from Twitter if the primary C2 is unresponsive.5
S0318 XLoader for Android XLoader for Android has fetched its C2 address from encoded Twitter names, as well as Instagram and Tumblr.1


ID Data Source Data Component
DS0041 Application Vetting Network Communication