1. Home
  2. Techniques
  3. Enterprise
  4. Data Obfuscation
  5. Protocol or Service Impersonation

Data Obfuscation: Protocol or Service Impersonation

ID Name
T1001.001 Junk Data
T1001.002 Steganography
T1001.003 Protocol or Service Impersonation

Adversaries may impersonate legitimate protocols or web service traffic to disguise command and control activity and thwart analysis efforts. By impersonating legitimate protocols or web services, adversaries can make their command and control traffic blend in with legitimate network traffic.

Adversaries may impersonate a fake SSL/TLS handshake to make it look like subsequent traffic is SSL/TLS encrypted, potentially interfering with some security tooling, or to make the traffic look like it is related with a trusted entity.

Adversaries may also leverage legitimate protocols to impersonate expected web traffic or trusted services. For example, adversaries may manipulate HTTP headers, URI endpoints, SSL certificates, and transmitted data to disguise C2 communications or mimic legitimate services such as Gmail, Google Drive, and Yahoo Messenger.[1][2]

ID: T1001.003
Sub-technique of:  T1001
Tactic: Command and Control
Platforms: ESXi, Linux, Windows, macOS
Contributors: James Emery-Callcott, Emerging Threats Team, Proofpoint
Version: 2.1
Created: 15 March 2020
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
S0245 BADCALL

BADCALL uses a FakeTLS method during C2.[3]
S0239 Bankshot

Bankshot generates a false TLS handshake using a public certificate to disguise C2 network communications.[4]
S1226 BOOKWORM

BOOKWORM has modified HTTP POST requests to resemble legitimate communications.[5]
C0017 C0017

During C0017, APT41 frequently configured the URL endpoints of their stealthy passive backdoor LOWKEY.PASSIVE to masquerade as normal web application traffic on an infected server.[6]
S0154 Cobalt Strike

Cobalt Strike can leverage the HTTP protocol for C2 communication, while hiding the actual data in either an HTTP header, URI parameter, the transaction body, or appending it to the URI.[7]
S0076 FakeM

FakeM C2 traffic attempts to evade detection by resembling data generated by legitimate messenger applications, such as MSN and Yahoo! messengers. Additionally, some variants of FakeM use modified SSL code for communications back to C2 servers, making SSL decryption ineffective.[8]
S0181 FALLCHILL

FALLCHILL uses fake Transport Layer Security (TLS) to communicate with its C2 server.[9]
S1120 FRAMESTING

FRAMESTING uses a cookie named DSID to mimic the name of a cookie used by Ivanti Connect Secure appliances for maintaining VPN sessions.[10]
S0246 HARDRAIN

HARDRAIN uses FakeTLS to communicate with its C2 server.[11]
G0126 Higaisa

Higaisa used a FakeTLS session for C2 communications.[12]
S0260 InvisiMole

InvisiMole can mimic HTTP protocol with custom HTTP "verbs" HIDE, ZVVP, and NOP.[13][14]
S0387 KeyBoy

KeyBoy uses custom SSL libraries to impersonate SSL in C2 traffic.[15]
G0032 Lazarus Group

Lazarus Group malware also uses a unique form of communication encryption known as FakeTLS that mimics TLS but uses a different encryption method, potentially evading SSL traffic inspection/decryption.[16][17][18][19]
G0129 Mustang Panda

Mustang Panda has utilized TLS record headers in network packets to impersonate various versions of TLS protocols to blend in with legitimate network traffic. Mustang Panda has used FakeTLS to communicate with its C2 servers.[20]
S1100 Ninja

Ninja has the ability to mimic legitimate services with customized HTTP URL paths and headers to hide malicious traffic.[21]
S0439 Okrum

Okrum leverages the HTTP protocol for C2 communication, while hiding the actual messages in the Cookie and Set-Cookie headers of the HTTP requests.[1]
S1228 PUBLOAD

PUBLOAD has modified HTTP POST requests to resemble legitimate communications.[22][5] PUBLOAD used FakeTLS headers in network packets to impersonate various versions of TLS protocols to blend in with legitimate network traffic. PUBLOAD has utilized FakeTLS headers with the bytes 17 03 03.[23]
S1227 StarProxy

StarProxy has utilized TLS record headers in network packets to impersonate various versions of TLS protocols to blend in with legitimate network traffic. StarProxy used FakeTLS to communicate with its C2 server.[20]
S0559 SUNBURST

SUNBURST masqueraded its network traffic as the Orion Improvement Program (OIP) protocol.[24]
S0586 TAINTEDSCRIBE

TAINTEDSCRIBE has used FakeTLS for session authentication.[25]
S1239 TONESHELL

TONESHELL used FakeTLS headers in network packets to impersonate various versions of TLS protocols to blend in with legitimate network traffic.[23][20] TONESHELL variants have utilized FakeTLS headers with the bytes 0x17 0x03 0x03 to represent TLSv1.2 and 0x17 0x03 0x04 for TLSv1.3.[20]
S0022 Uroburos

Uroburos can use custom communication methodologies that ride over common protocols including TCP, UDP, HTTP, SMTP, and DNS in order to blend with normal network traffic. [26]

Mitigations

ID Mitigation Description
M1031 Network Intrusion Prevention

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate some obfuscation activity at the network level.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0470 Detecting Protocol or Service Impersonation via Anomalous TLS, HTTP Header, and Port Mismatch Correlation AN1294

Untrusted processes creating outbound TLS/HTTPS connections with malformed certificates or header fields, often mismatched with target service behavior. Detects protocol impersonation attempts via traffic metadata analysis and host process lineage.
AN1295

Detection of binaries spawning encrypted sessions using OpenSSL or curl to external services with mismatched ports/protocols. Identifies behavior where internal services simulate trusted cloud service traffic patterns.
AN1296

Unsigned or suspicious applications initiating network traffic claiming to be browser, mail, or cloud clients. Detects impersonation via TLS fingerprint and User-Agent string deviation.
AN1297

ESXi hosts initiating connections from non-standard daemons mimicking HTTP/HTTPS or SNMP traffic, but with irregular payload formats or expired/unsigned TLS certificates.

References

  1. Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020.
  2. Chris Navarrete Durgesh Sangvikar Andrew Guan Yu Fu Yanhui Jia Siddhart Shibiraj. (2022, March 16). Cobalt Strike Analysis and Tutorial: How Malleable C2 Profiles Make Cobalt Strike Difficult to Detect. Retrieved September 24, 2024.
  3. US-CERT. (2018, February 6). Malware Analysis Report 10135536-G. Retrieved August 15, 2024.
  4. US-CERT. (2017, December 13). Malware Analysis Report (MAR) - 10135536-B. Retrieved August 15, 2024.
  5. Robert Falcone. (2025, February 20). Stately Taurus Activity in Southeast Asia Links to Bookworm Malware. Retrieved July 21, 2025.
  6. Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022.
  7. Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021.
  8. Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016.
  9. US-CERT. (2017, November 22). Alert (TA17-318A): HIDDEN COBRA – North Korean Remote Administration Tool: FALLCHILL. Retrieved December 7, 2017.
  10. Lin, M. et al. (2024, January 31). Cutting Edge, Part 2: Investigating Ivanti Connect Secure VPN Zero-Day Exploitation. Retrieved February 27, 2024.
  11. US-CERT. (2018, February 5). Malware Analysis Report (MAR) - 10135536-F. Retrieved August 15, 2024.
  12. Singh, S. Singh, A. (2020, June 11). The Return on the Higaisa APT. Retrieved March 2, 2021.
  13. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.
  1. Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020.
  2. Parys, B. (2017, February 11). The KeyBoys are back in town. Retrieved June 13, 2019.
  3. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.
  4. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Destructive Malware Report. Retrieved November 17, 2024.
  5. Sherstobitoff, R. (2018, February 12). Lazarus Resurfaces, Targets Global Banks and Bitcoin Users. Retrieved February 19, 2018.
  6. Ryan Sherstobitoff. (2018, April 24). Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide. Retrieved August 15, 2024.
  7. Sudeep Singh. (2025, April 16). Latest Mustang Panda Arsenal: ToneShell and StarProxy | P1. Retrieved July 21, 2025.
  8. Dedola, G. (2022, June 21). APT ToddyCat. Retrieved January 3, 2024.
  9. Dex. (n.d.). New Mustang Panda’s campaing against Australia. Retrieved August 4, 2025.
  10. Golo Muhr, Joshua Chung. (2025, May 15). Hive0154 targeting US, Philippines, Pakistan and Taiwan in suspected espionage campaign. Retrieved August 4, 2025.
  11. FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021.
  12. USG. (2020, May 12). MAR-10288834-2.v1 – North Korean Trojan: TAINTEDSCRIBE. Retrieved March 5, 2021.
  13. FBI et al. (2023, May 9). Hunting Russian Intelligence “Snake” Malware. Retrieved June 8, 2023.