Skip to content

T1544 Ingress Tool Transfer

Adversaries may transfer tools or other files from an external system onto a compromised device to facilitate follow-on actions. Files may be copied from an external adversary-controlled system through the command and control channel or through alternate protocols with another tool such as FTP.

Item Value
ID T1544
Sub-techniques
Tactics TA0037
Platforms Android, iOS
Version 2.2
Created 21 January 2020
Last Modified 24 October 2025

Procedure Examples

ID Name Description
S1061 AbstractEmu AbstractEmu can receive files from the C2 at runtime.16
C0033 C0033 During C0033, PROMETHIUM used StrongPity to receive files from the C2 and execute them via the parent application.20
S1083 Chameleon Chameleon has downloaded HTML overlay pages after installation.5
S1225 CherryBlos CherryBlos has received configuration files from the C2 server.18
S1231 GodFather GodFather has downloaded Google Play Store, Google Play services and Google Services Framework APK to a virtual folder.14
S1185 LightSpy LightSpy has retrieved files from the C2 server.34 Examples of files from the C2 are amfidebilitate (jailbreak component), jbexec (executable to verify jailbreak), bb (FrameworkLoader), cc (launchctl binary for persistence), b.plist (configuration for auto-start), and resources.zip, which contains additional jailbreak-related components.2
S0485 Mandrake Mandrake can install attacker-specified components or applications.17
S0407 Monokle Monokle can download attacker-specified files.15
C0054 Operation Triangulation During Operation Triangulation, the threat actors downloaded subsequent stages from the C2.191
S1126 Phenakite Phenakite can download additional malware to the victim device.10
S0326 RedDrop RedDrop uses ads or other links within websites to encourage users to download the malicious apps using a complex content distribution network (CDN) and series of network redirects. RedDrop also downloads additional components (APKs, JAR files) from different C2 servers.13
S1055 SharkBot SharkBot can download attacker-specified files.12
S1195 SpyC23 SpyC23 can download more malware to the victim device.867
S1082 Sunbird Sunbird can download adversary specified content from FTP shares.11
S1216 TriangleDB TriangleDB has loaded additional modules stored in memory.1
S0418 ViceLeaker ViceLeaker can download attacker-specified files.9

References

  1. Kucherin, G., et al. (2023, June 21). Dissecting TriangleDB, a Triangulation spyware implant. Retrieved April 18, 2024. 

  2. Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy’s iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025. 

  3. Melikov, D. (2024, April 11). LightSpy Returns: Renewed Espionage Campaign Targets Southern Asia, Possibly India. Retrieved January 14, 2025. 

  4. ThreatFabric. (2024, October 29). LightSpy: Implant for iOS. Retrieved January 30, 2025. 

  5. Cyble Research & Intelligence Labs. (2023, April 13). Banking Trojan targeting mobile users in Australia and Poland. Retrieved August 16, 2023. 

  6. CheckPoint Research. (2020, February 16). Hamas Android Malware On IDF Soldiers-This is How it Happened. Retrieved November 17, 2024. 

  7. Delamotte, A. (2023, November 6). Arid Viper | APT’s Nest of SpyC23 Malware Continues to Target Android Devices. Retrieved December 2, 2024. 

  8. Stefanko, L. (2020, September 30). APT‑C‑23 group evolves its Android spyware. Retrieved March 4, 2024. 

  9. GReAT. (2019, June 26). ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019. 

  10. Flossman, M., Scott, M. (2021, April). Technical Paper // Taking Action Against Arid Viper. Retrieved November 17, 2024. 

  11. Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023. 

  12. RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023. 

  13. Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved November 17, 2024. 

  14. Ortega, F. Pratapagiri, V. (2025, June 18). Your Mobile App, Their Playground: The Dark Side of Virtualization. Retrieved July 16, 2025. 

  15. Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019. 

  16. P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023. 

  17. R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020. 

  18. Trend Micro Research. (2023, July 28). Related CherryBlos and FakeTrade Android Malware Involved in Scam Campaigns. Retrieved March 28, 2025. 

  19. Kuznetsov, I., et al. (2023, June 1). Operation Triangulation: iOS devices targeted with previously unknown malware. Retrieved April 18, 2024. 

  20. Stefanko, L. (2023, January 10). StrongPity espionage campaign targeting Android users. Retrieved January 31, 2023.