Skip to content

T1571 Non-Standard Port

Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 80882 or port 5874 as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.

Adversaries may also make changes to victim systems to abuse non-standard ports. For example, Registry keys and other configuration settings can be used to modify protocol and port pairings.3

Item Value
ID T1571
Sub-techniques
Tactics TA0011
Platforms ESXi, Linux, Windows, macOS
Version 1.3
Created 14 March 2020
Last Modified 24 October 2025

Procedure Examples

ID Name Description
G0099 APT-C-36 APT-C-36 has used port 4050 for C2 communications.63
G0050 APT32 An APT32 backdoor can use HTTP over a non-standard TCP port (e.g 14146) which is specified in the backdoor configuration.53
G0064 APT33 APT33 has used HTTP over TCP ports 808 and 880 for command and control.2
S0245 BADCALL BADCALL communicates on ports 443 and 8000 with a FakeTLS method.40
S0239 Bankshot Bankshot binds and listens on port 1058 for HTTP traffic while also utilizing a FakeTLS method.45
S1246 BeaverTail BeaverTail has communicated with C2 IP addresses over ports 1224 or 1244.262728
S0574 BendyBear BendyBear has used a custom RC4 and XOR encrypted protocol over port 443 for C2.25
C0018 C0018 During C0018, the threat actors opened a variety of ports, including ports 28035, 32467, 41578, and 46892, to establish RDP connections.66
C0032 C0032 During the C0032 campaign, TEMP.Veles used port-protocol mismatches on ports such as 443, 4444, 8531, and 50501 during C2.68
G1052 Contagious Interview Contagious Interview has used TCP port 1224 for C2.50
S1155 Covenant Covenant listeners and controllers can be configured to use non-standard ports.5
S0687 Cyclops Blink Cyclops Blink can use non-standard ports for C2 not typically associated with HTTP or HTTPS traffic.47
G0105 DarkVishnya DarkVishnya used ports 5190 and 7900 for shellcode listeners, and 4444, 4445, 31337 for shellcode C2.62
S0021 Derusbi Derusbi has used unencrypted HTTP on port 443 for C2.32
G1003 Ember Bear Ember Bear has used various non-standard ports for C2 communication.52
S0367 Emotet Emotet has used HTTP over ports such as 20, 22, 443, 7080, and 50000, in addition to using ports commonly associated with HTTP/S.109
G0046 FIN7 FIN7 has used port-protocol mismatches on ports such as 53, 80, 443, and 8080 during C2.58 FIN7 has used TCP ports 59999 and 9898 for firewall rules.57
G0047 Gamaredon Group Gamaredon Group has used port 6856 for C2 communications.61
S0493 GoldenSpy GoldenSpy has used HTTP over ports 9005 and 9006 for network traffic, 9002 for C2 requests, 33666 as a WebSocket, and 8090 to download files.13
S0237 GravityRAT GravityRAT has used HTTP over a non-standard port, such as TCP port 46769.44
S1211 Hannotog Hannotog uses non-standard listening ports, such as UDP 5900, for command and control purposes.7
S0246 HARDRAIN HARDRAIN binds and listens on port 443 with a FakeTLS method.21
S0376 HOPLIGHT HOPLIGHT has connected outbound over TCP port 443 with a FakeTLS method.18
C0043 Indian Critical Infrastructure Intrusions During Indian Critical Infrastructure Intrusions, RedEcho used non-standard ports such as TCP 8080 for HTTP communication.51
S1245 InvisibleFerret InvisibleFerret has been observed utilizing HTTP communications to the C2 server over ports 1224, 2245 and 8637.42
C0035 KV Botnet Activity KV Botnet Activity generates a random port number greater than 30,000 to serve as the listener for subsequent command and control activity.71
G0032 Lazarus Group Some Lazarus Group malware uses a list of ordered port numbers to choose a port for C2 traffic, creating port-protocol mismatches.5655
S1016 MacMa MacMa has used TCP port 5633 for C2 Communication.31
G0059 Magic Hound Magic Hound malware has communicated with its C2 server over TCP ports 4443 and 10151 using HTTP.6059
S0455 Metamorfo Metamorfo has communicated with hosts over raw TCP on port 9999.24
S0149 MoonWind MoonWind communicates over ports 80, 443, 53, and 8080 via raw sockets instead of the protocols usually associated with the ports.20
S0385 njRAT njRAT has used port 1177 for HTTP C2 communications.29
C0014 Operation Wocao During Operation Wocao, the threat actors used uncommon high ports for its backdoor C2, including ports 25667 and 47000.65
S0352 OSX_OCEANLOTUS.D OSX_OCEANLOTUS.D has used a custom binary protocol over TCP port 443 for C2.23
S1145 Pikabot Pikabot uses non-standard ports, such as 2967, 2223, and others, for HTTPS command and control communication.22
S1031 PingPull PingPull can use HTTPS over port 8080 for C2.8
S0013 PlugX PlugX has used random, high-number, non-standard ports to listen for subsequent actions and C2 activities.41
S0428 PoetRAT PoetRAT used TLS to encrypt communications over port 14312
C0055 Quad7 Activity Quad7 Activity has used non-standard TCP ports – such as 7777, 11288, 63256, 63210, 3256, and 3556 for C2.7069
S0262 QuasarRAT QuasarRAT can use port 4782 on the compromised host for TCP callbacks.6
S1130 Raspberry Robin Raspberry Robin will communicate via HTTP over port 8080 for command and control traffic.15
G1042 RedEcho RedEcho has used non-standard ports such as TCP 8080 for HTTP communication.51
S0153 RedLeaves RedLeaves can use HTTP over non-standard ports, such as 995, for C2.46
C0056 RedPenguin During RedPenguin, UNC3886 used a backdoor that binds to port 45678 by default.67
G0106 Rocke Rocke’s miner connects to a C2 server using port 51640.64
S1078 RotaJakiro RotaJakiro uses a custom binary protocol over TCP port 443.34
S0148 RTM RTM used Port 44443 for its VNC module.35
G0034 Sandworm Team Sandworm Team has used port 6789 to accept connections on the group’s SSH server.54
S1085 Sardonic Sardonic has the ability to connect with actor-controlled C2 servers using a custom binary protocol over port 443.30
G0091 Silence Silence has used port 444 when sending data about the system from the client to the server.49
S0491 StrongPity
StrongPity has used HTTPS over port 1402 in C2 communication.11
S1049 SUGARUSH SUGARUSH has used port 4585 for a TCP connection to its C2.14
S0266 TrickBot Some TrickBot samples have used HTTP over ports 447 and 8082 for C2.393836 Newer versions of TrickBot have been known to use a custom communication protocol which sends the data unencrypted over port 443. 37
S0263 TYPEFRAME TYPEFRAME has used ports 443, 8080, and 8443 with a FakeTLS method.43
G1047 Velvet Ant Velvet Ant has used random high number ports for PlugX listeners on victim devices.41
S1218 VIRTUALPIE VIRTUALPIE has created listeners on hard coded TCP port 546.33
S1217 VIRTUALPITA VIRTUALPITA has created listeners on hard coded TCP ports such as 2233, 7475, and 18098.33
S0515 WellMail WellMail has been observed using TCP port 25, without using SMTP, to leverage an open port for secure command and control communications.1617
G0090 WIRTE WIRTE has used HTTPS over ports 2083 and 2087 for C2.48
S0412 ZxShell ZxShell can use ports 1985 and 1986 in HTTP/S communication.19

Mitigations

ID Mitigation Description
M1031 Network Intrusion Prevention Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.
M1030 Network Segmentation Properly configure firewalls and proxies to limit outgoing traffic to only necessary ports for that particular network segment.

References

  1. Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016. 

  2. Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019. 

  3. The DFIR Report. (2022, March 1). “Change RDP port” #ContiLeaks. Retrieved September 12, 2024. 

  4. Zhang, X. (2018, April 05). Analysis of New Agent Tesla Spyware Variant. Retrieved November 5, 2018. 

  5. cobbr. (2021, April 21). Covenant. Retrieved September 4, 2024. 

  6. CISA. (2018, December 18). Analysis Report (AR18-352A) Quasar Open-Source Remote Administration Tool. Retrieved August 1, 2022. 

  7. Symntec Threat Hunter Team. (2022, November 12). Billbug: State-sponsored Actor Targets Cert Authority, Government Agencies in Multiple Asian Countries. Retrieved March 15, 2025. 

  8. Unit 42. (2022, June 13). GALLIUM Expands Targeting Across Telecommunications, Government and Finance Sectors With New PingPull Tool. Retrieved August 7, 2022. 

  9. Binary Defense. (n.d.). Emotet Evolves With new Wi-Fi Spreader. Retrieved September 8, 2023. 

  10. Brumaghin, E.. (2019, January 15). Emotet re-emerges after the holidays. Retrieved March 25, 2019. 

  11. Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020. 

  12. Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020. 

  13. Trustwave SpiderLabs. (2020, June 25). The Golden Tax Department and Emergence of GoldenSpy Malware. Retrieved July 23, 2020. 

  14. Mandiant Israel Research Team. (2022, August 17). Suspected Iranian Actor Targeting Israeli Shipping, Healthcare, Government and Energy Sectors. Retrieved September 21, 2022. 

  15. Lauren Podber and Stef Rand. (2022, May 5). Raspberry Robin gets the worm early. Retrieved May 17, 2024. 

  16. CISA. (2020, July 16). MAR-10296782-3.v1 – WELLMAIL. Retrieved September 29, 2020. 

  17. National Cyber Security Centre. (2020, July 16). Advisory: APT29 targets COVID-19 vaccine development. Retrieved September 29, 2020. 

  18. US-CERT. (2019, April 10). MAR-10135536-8 – North Korean Trojan: HOPLIGHT. Retrieved April 19, 2019. 

  19. Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019. 

  20. Miller-Osborn, J. and Grunzweig, J.. (2017, March 30). Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations. Retrieved March 30, 2017. 

  21. US-CERT. (2018, February 05). Malware Analysis Report (MAR) - 10135536-F. Retrieved June 11, 2018. 

  22. Daniel Stepanic & Salim Bitam. (2024, February 23). PIKABOT, I choose you!. Retrieved July 12, 2024. 

  23. Erye Hernandez and Danny Tsechansky. (2017, June 22). The New and Improved macOS Backdoor from OceanLotus. Retrieved September 8, 2023. 

  24. Sierra, E., Iglesias, G.. (2018, April 24). Metamorfo Campaigns Targeting Brazilian Users. Retrieved July 30, 2020. 

  25. Harbison, M. (2021, February 9). BendyBear: Novel Chinese Shellcode Linked With Cyber Espionage Group BlackTech. Retrieved February 16, 2021. 

  26. Matej Havranek. (2025, February 20). DeceptiveDevelopment targets freelance developers. Retrieved October 17, 2025. 

  27. Unit 42. (2023, November 21). Hacking Employers and Seeking Employment: Two Job-Related Campaigns Bear Hallmarks of North Korean Threat Actors. Retrieved October 17, 2025. 

  28. Unit42. (2024, October 9). Contagious Interview: DPRK Threat Actors Lure Tech Industry Job Seekers to Install New Variants of BeaverTail and InvisibleFerret Malware. Retrieved October 17, 2025. 

  29. Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019. 

  30. Budaca, E., et al. (2021, August 25). FIN8 Threat Actor Goes Agile with New Sardonic Backdoor. Retrieved August 9, 2023. 

  31. M.Léveillé, M., Cherepanov, A.. (2022, January 25). Watering hole deploys new macOS malware, DazzleSpy, in Asia. Retrieved May 6, 2022. 

  32. Fidelis Cybersecurity. (2016, February 29). The Turbo Campaign, Featuring Derusbi for 64-bit Linux. Retrieved March 2, 2016. 

  33. Alexander Marvi, Jeremy Koppen, Tufail Ahmed, and Jonathan Lepore. (2022, September 29). Bad VIB(E)s Part One: Investigating Novel Malware Persistence Within ESXi Hypervisors. Retrieved March 26, 2025. 

  34. Alex Turing. (2021, May 6). RotaJakiro, the Linux version of the OceanLotus. Retrieved June 14, 2023. 

  35. Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017. 

  36. Antazo, F. (2016, October 31). TSPY_TRICKLOAD.N. Retrieved September 14, 2018. 

  37. Radu Tudorica. (2021, July 12). A Fresh Look at Trickbot’s Ever-Improving VNC Module. Retrieved September 28, 2021. 

  38. Reaves, J. (2016, October 15). TrickBot: We Missed you, Dyre. Retrieved August 2, 2018. 

  39. Salinas, M., Holguin, J. (2017, June). Evolution of Trickbot. Retrieved July 31, 2018. 

  40. US-CERT. (2018, February 06). Malware Analysis Report (MAR) - 10135536-G. Retrieved June 7, 2018. 

  41. Sygnia Team. (2024, June 3). China-Nexus Threat Group ‘Velvet Ant’ Abuses F5 Load Balancers for Persistence. Retrieved March 14, 2025. 

  42. eSentire Threat Response Unit (TRU). (2024, November 14). Bored BeaverTail & InvisibleFerret Yacht Club – A Lazarus Lure Pt.2. Retrieved October 17, 2025. 

  43. US-CERT. (2018, June 14). MAR-10135536-12 – North Korean Trojan: TYPEFRAME. Retrieved July 13, 2018. 

  44. Mercer, W., Rascagneres, P. (2018, April 26). GravityRAT - The Two-Year Evolution Of An APT Targeting India. Retrieved May 16, 2018. 

  45. US-CERT. (2017, December 13). Malware Analysis Report (MAR) - 10135536-B. Retrieved July 17, 2018. 

  46. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017. 

  47. Yamout, M. (2021, November 29). WIRTE’s campaign in the Middle East ‘living off the land’ since at least 2019. Retrieved February 1, 2022. 

  48. Group-IB. (2018, September). Silence: Moving Into the Darkside. Retrieved May 5, 2020. 

  49. Kirill Boychenko. (2025, April 4). Lazarus Expands Malicious npm Campaign: 11 New Packages Add Malware Loaders and Bitbucket Payloads. Retrieved October 20, 2025. 

  50. Recorded Future Insikt Group. (2021, February). China-Linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions. Retrieved November 21, 2024. 

  51. US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024. 

  52. Dumont, R. (2019, March 20). Fake or Fake: Keeping up with OceanLotus decoys. Retrieved April 1, 2019. 

  53. Cherepanov, A.. (2016, January 3). BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry . Retrieved June 10, 2020. 

  54. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Remote Administration Tools & Content Staging Malware Report. Retrieved March 16, 2016. 

  55. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016. 

  56. The BlackBerry Research and Intelligence Team. (2024, April 17). Threat Group FIN7 Targets the U.S. Automotive Industry. Retrieved May 1, 2025. 

  57. Carr, N., et al. (2018, August 01). On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation. Retrieved August 23, 2018. 

  58. DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023. 

  59. Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017. 

  60. Venere, G. (2025, March 28). Gamaredon campaign abuses LNK files to distribute Remcos backdoor. Retrieved July 23, 2025. 

  61. Golovanov, S. (2018, December 6). DarkVishnya: Banks attacked through direct connection to local network. Retrieved May 15, 2020. 

  62. QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020. 

  63. Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019. 

  64. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. 

  65. Costa, F. (2022, May 1). RaaS AvosLocker Incident Response Analysis. Retrieved January 11, 2023. 

  66. Lamparski, L. et al. (2025, March 11). Ghost in the Router: China-Nexus Espionage Actor UNC3886 Targets Juniper Routers. Retrieved June 24, 2025. 

  67. Miller, S, et al. (2019, April 10). TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping. Retrieved April 16, 2019. 

  68. Aime, F. et al. (n.d.). Solving the 7777 Botnet enigma: A cybersecurity quest. Retrieved July 23, 2024. 

  69. Microsoft Threat Intelligence. (2024, October 31). Chinese threat actor Storm-0940 uses credentials from password spray attacks from a covert network. Retrieved June 4, 2025. 

  70. Black Lotus Labs. (2023, December 13). Routers Roasting On An Open Firewall: The KV-Botnet Investigation. Retrieved June 10, 2024.