Skip to content

T1521 Encrypted Channel

Adversaries may explicitly employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if necessary secret keys are encoded and/or generated within malware samples/configuration files.

Item Value
ID T1521
Sub-techniques T1521.001, T1521.002, T1521.003
Tactics TA0037
Platforms Android, iOS
Version 2.0
Created 01 October 2019
Last Modified 24 October 2025

Procedure Examples

ID Name Description
S1095 AhRat AhRat can communicate with the C2 using HTTPS requests.1
S0302 Twitoor Twitoor encrypts its C2 communication.2

References

  1. Lukas Stefanko. (2023, May 23). Android app breaking bad: From legitimate screen recording to file exfiltration within a year. Retrieved December 18, 2023. 

  2. ESET. (2016, August 24). First Twitter-controlled Android botnet discovered. Retrieved December 22, 2016.