Skip to content

T1646 Exfiltration Over C2 Channel

Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications.

Item Value
ID T1646
Tactics TA0036
Platforms Android, iOS
Version 1.0
Created 01 April 2022
Last Modified 08 April 2022

Procedure Examples

ID Name Description
S1061 AbstractEmu AbstractEmu can send large amounts of device data over its C2 channel, including the device’s manufacturer, model, version and serial number, telephone number, and IP address.9
S1054 Drinik Drinik can send stolen data back to the C2 server.13
S0507 eSurv eSurv has exfiltrated data using HTTP PUT requests.8
S1067 FluBot FluBot can send contact lists to its C2 server.11
S0551 GoldenEagle GoldenEagle has exfiltrated data via both SMTP and HTTP.3
S0421 GolfSpy GolfSpy exfiltrates data using HTTP POST requests.12
C0016 Operation Dust Storm During Operation Dust Storm, the threat actors used Android backdoors that would send information and data from a victim’s mobile device to the C2 servers.14
S0399 Pallas Pallas exfiltrates data using HTTP.6
S0326 RedDrop RedDrop uses standard HTTP for exfiltration.1
S1055 SharkBot SharkBot can exfiltrate captured user credentials and event logs back to the C2 server. 10
S0424 Triada Triada utilized HTTP to exfiltrate data through POST requests to the command and control server.7
S0418 ViceLeaker ViceLeaker uses HTTP data exfiltration.45
S0490 XLoader for iOS XLoader for iOS has exfiltrated data using HTTP requests.2


  1. Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved September 18, 2018. 

  2. Hiroaki, H., Wu, L., Wu, L.. (2019, April 2). XLoader Disguises as Android Apps, Has FakeSpy Links. Retrieved July 20, 2020. 

  3. A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020. 

  4. GReAT. (2019, June 26). ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019. 

  5. L. Arsene, C. Ochinca. (2018, August 20). Triout – Spyware Framework for Android with Extensive Surveillance Capabilities. Retrieved January 21, 2020. 

  6. Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018. 

  7. Lukasz Siewierski. (2019, June 6). PHA Family Highlights: Triada. Retrieved July 16, 2019. 

  8. A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020. 

  9. P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023. 

  10. RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023. 

  11. Crista Giering, F. Naves, Andrew Conway, Adam McNeil . (2021, April 27). FluBot Android Malware Spreading Rapidly Through Europe, May Hit U.S. Soon. Retrieved February 28, 2023. 

  12. E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign ‘Bouncing Golf’ Affects Middle East. Retrieved January 27, 2020. 

  13. Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved January 18, 2023. 

  14. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.