Skip to content

T1646 Exfiltration Over C2 Channel

Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications.

Item Value
ID T1646
Sub-techniques
Tactics TA0036
Platforms Android, iOS
Version 1.1
Created 01 April 2022
Last Modified 24 October 2025

Procedure Examples

ID Name Description
S1061 AbstractEmu AbstractEmu can send large amounts of device data over its C2 channel, including the device’s manufacturer, model, version and serial number, telephone number, and IP address.13
S1095 AhRat AhRat can exfiltrate collected data to the C2, such as audio recordings and files.4
S1215 Binary Validator Binary Validator has exfiltrated collected data to the C2 server.24
S1079 BOULDSPY BOULDSPY has exfiltrated cached data from infected devices.14
S1094 BRATA BRATA has exfiltrated data to the C2 server using HTTP requests.18
C0033 C0033 During C0033, PROMETHIUM used StrongPity to exfiltrate to the C2 server using HTTPS.2928
S1083 Chameleon Chameleon has sent stolen data over HTTP.7
S1225 CherryBlos CherryBlos has exfiltrated credentials collected from pictures that have been analyzed using optical character recognition (OCR).20
S1054 Drinik Drinik can send stolen data back to the C2 server.3
S0507 eSurv eSurv has exfiltrated data using HTTP PUT requests.23
S1080 Fakecalls Fakecalls can send exfiltrated data back to the C2 server.19
S1067 FluBot FluBot can send contact lists to its C2 server.22
S1093 FlyTrap FlyTrap can use HTTP to exfiltrate data to the C2 server.17
S1231 GodFather GodFather has exfiltrated sensitive information over C2.1211
S0551 GoldenEagle GoldenEagle has exfiltrated data via both SMTP and HTTP.1
S0421 GolfSpy GolfSpy exfiltrates data using HTTP POST requests.6
S1077 Hornbill Hornbill can exfiltrate data back to the C2 server using HTTP.15
S1185 LightSpy LightSpy has exfiltrated collected data to the C2.10
C0016 Operation Dust Storm During Operation Dust Storm, the threat actors used Android backdoors that would send information and data from a victim’s mobile device to the C2 servers.27
S0399 Pallas Pallas exfiltrates data using HTTP.26
S1241 RatMilad RatMilad has exfiltrated collected data to the C2.5
S0326 RedDrop RedDrop uses standard HTTP for exfiltration.16
S1055 SharkBot SharkBot can exfiltrate captured user credentials and event logs back to the C2 server. 2
S1082 Sunbird Sunbird can exfiltrate compressed ZIP files containing gathered info to C2 infrastructure.15
S0424 Triada Triada utilized HTTP to exfiltrate data through POST requests to the command and control server.21
S0418 ViceLeaker ViceLeaker uses HTTP data exfiltration.89
S0490 XLoader for iOS XLoader for iOS has exfiltrated data using HTTP requests.25

References

  1. A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020. 

  2. RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023. 

  3. Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved November 17, 2024. 

  4. Lukas Stefanko. (2023, May 23). Android app breaking bad: From legitimate screen recording to file exfiltration within a year. Retrieved December 18, 2023. 

  5. Gupta, N. (2022, October 5). We Smell A RatMilad Android Spyware. Retrieved August 27, 2025. 

  6. E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign ‘Bouncing Golf’ Affects Middle East. Retrieved January 27, 2020. 

  7. Cyble Research & Intelligence Labs. (2023, April 13). Banking Trojan targeting mobile users in Australia and Poland. Retrieved August 16, 2023. 

  8. GReAT. (2019, June 26). ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019. 

  9. L. Arsene, C. Ochinca. (2018, August 20). Triout – Spyware Framework for Android with Extensive Surveillance Capabilities. Retrieved January 21, 2020. 

  10. Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy’s iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025. 

  11. Merkle Science. (2023, April 25). The Godfather Android Malware: Threat under the lens. Retrieved July 16, 2025. 

  12. Ortega, F. Pratapagiri, V. (2025, June 18). Your Mobile App, Their Playground: The Dark Side of Virtualization. Retrieved July 16, 2025. 

  13. P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023. 

  14. Kyle Schmittle, Alemdar Islamoglu, Paul Shunk, Justin Albrecht. (2023, April 27). Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy. Retrieved July 21, 2023. 

  15. Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023. 

  16. Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved November 17, 2024. 

  17. A. Yaswant. (2021, August 9). FlyTrap Android Malware Compromises Thousands of Facebook Accounts. Retrieved September 28, 2023. 

  18. Federico Valentini, Francesco Lubatti. (2022, January 24). How BRATA is monitoring your bank account. Retrieved December 18, 2023. 

  19. Igor Golovin. (2022, April 11). Fakecalls: a talking Trojan. Retrieved July 21, 2023. 

  20. Trend Micro Research. (2023, July 28). Related CherryBlos and FakeTrade Android Malware Involved in Scam Campaigns. Retrieved March 28, 2025. 

  21. Lukasz Siewierski. (2019, June 6). PHA Family Highlights: Triada. Retrieved July 16, 2019. 

  22. Crista Giering, F. Naves, Andrew Conway, Adam McNeil . (2021, April 27). FluBot Android Malware Spreading Rapidly Through Europe, May Hit U.S. Soon. Retrieved February 28, 2023. 

  23. A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020. 

  24. Kucherin, G., et al. (2023, October 23). The outstanding stealth of Operation Triangulation. Retrieved April 18, 2024. 

  25. Hiroaki, H., Wu, L., Wu, L.. (2019, April 2). XLoader Disguises as Android Apps, Has FakeSpy Links. Retrieved July 20, 2020. 

  26. Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018. 

  27. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021. 

  28. Dong, Z. et al. (2021, July 21). StrongPity APT Group Deploys Android Malware for the First Time. Retrieved March 19, 2023. 

  29. Stefanko, L. (2023, January 10). StrongPity espionage campaign targeting Android users. Retrieved January 31, 2023.