1. Home
  2. Techniques
  3. Enterprise
  4. Traffic Signaling

Traffic Signaling

ID Name
T1205.001 Port Knocking
T1205.002 Socket Filters

Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form of sending a series of packets with certain characteristics before a port will be opened that the adversary can use for command and control. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports (i.e. Port Knocking), but can involve unusual flags, specific strings, or other unique characteristics. After the sequence is completed, opening a port may be accomplished by the host-based firewall, but could also be implemented by custom software.

Adversaries may also communicate with an already open port, but the service listening on that port will only respond to commands or trigger other malicious functionality if passed the appropriate magic value(s).

The observation of the signal packets to trigger the communication can be conducted through different methods. One means, originally implemented by Cd00r [1], is to use the libpcap libraries to sniff for the packets in question. Another method leverages raw sockets, which enables the malware to use ports that are already open for use by other programs.

On network devices, adversaries may use crafted packets to enable Network Device Authentication for standard services offered by the device such as telnet. Such signaling may also be used to open a closed service port such as telnet, or to trigger module modification of malware implants on the device, adding, removing, or changing malicious capabilities. Adversaries may use crafted packets to attempt to connect to one or more (open or closed) ports, but may also attempt to connect to a router interface, broadcast, and network address IP on the same port in order to achieve their goals and objectives.[2][3][4] To enable this traffic signaling on embedded devices, adversaries must first achieve and leverage Patch System Image due to the monolithic nature of the architecture.

Adversaries may also use the Wake-on-LAN feature to turn on powered off systems. Wake-on-LAN is a hardware feature that allows a powered down system to be powered on, or woken up, by sending a magic packet to it. Once the system is powered on, it may become a target for lateral movement.[5][6]

ID: T1205
Sub-techniques:  T1205.001, T1205.002
Platforms: Linux, Network Devices, Windows, macOS
Contributors: Josh Day, Gigamon; Tony Lee
Version: 2.5
Created: 18 April 2018
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
S1118 BUSHWALK

BUSHWALK can modify the DSUserAgentCap.pm Perl module on Ivanti Connect Secure VPNs and either activate or deactivate depending on the value of the user agent in incoming HTTP requests.[7]
S0220 Chaos

Chaos provides a reverse shell is triggered upon receipt of a packet with a special string, sent to any port.[8]
C0029 Cutting Edge

During Cutting Edge, threat actors sent a magic 48-byte sequence to enable the PITSOCK backdoor to communicate via the /tmp/clientsDownload.sock socket.[7]
S1203 J-magic

J-magic can monitor TCP traffic for packets containing one of five different predefined parameters and will spawn a reverse shell if one of the parameters and the proper response string to a subsequent challenge is received.[9]
G0094 Kimsuky

Kimsuky has used TRANSLATEXT to redirect clients to legitimate Gmail, Naver or Kakao pages if the clients connect with no parameters.[10]

S0641 Kobalos

Kobalos is triggered by an incoming TCP connection to a legitimate service from a specific source port.[11][12]

G0129 Mustang Panda

Mustang Panda has utilized a "magic packet" value in C2 communications and only executes in memory when response packets match specific values of "17 03 03" or "46 77 4d".[13]
S0664 Pandora

Pandora can identify if incoming HTTP traffic contains a token and if so it will intercept the traffic and process the received command.[14]
S0587 Penquin

Penquin will connect to C2 only after sniffing a "magic packet" value in TCP or UDP packets matching specific conditions.[15][16]
S1228 PUBLOAD

PUBLOAD has utilized a magic packet value in C2 communications and only executes in memory when response packets match specific values of 17 03 03.[13][17][18][19][20] PUBLOAD has also used magic bytes consisting of 46 77 4d.[13]
C0056 RedPenguin

During RedPenguin, UNC3886 leveraged malware capable of inpecting packets for a magic-string to activate backdoor functionalities.[21]
S1219 REPTILE

The REPTILE reverse shell component can listen for a specialized packet in TCP, UDP, or ICMP for activation.[22][23]
S0446 Ryuk

Ryuk has used Wake-on-Lan to power on turned off systems for lateral movement.[5]
S0519 SYNful Knock

SYNful Knock can be sent instructions via special packets to change its functionality. Code for new functionality can be included in these messages.[3]
S1239 TONESHELL

TONESHELL has utilized a "magic packet" value in C2 communications and only executes in memory when response packets match specific values.[24][19][25]
S1201 TRANSLATEXT

TRANSLATEXT has redirected clients to legitimate Gmail, Naver or Kakao pages if the clients connect with no parameters.[10]

S0221 Umbreon

Umbreon provides additional access using its backdoor Espeon, providing a reverse shell upon receipt of a special packet.[26]
G1048 UNC3886

UNC3886 has used the TABLEFLIP traffic redirection utility to listen for specialized command packets on compromised FortiManager devices.[23]
S0022 Uroburos

Uroburos can intercept the first client to server packet in the 3-way TCP handshake to determine if the packet contains the correct unique value for a specific Uroburos implant. If the value does not match, the packet and the rest of the TCP session are passed to the legitimate listening application.[27]
S0430 Winnti for Linux

Winnti for Linux has used a passive listener, capable of identifying a specific magic value before executing tasking, as a secondary command and control (C2) mechanism.[28]
S1114 ZIPLINE

ZIPLINE can identify a specific string in intercepted network traffic, SSH-2.0-OpenSSH_0.3xx., to trigger its command functionality.[29]

Mitigations

ID Mitigation Description
M1042 Disable or Remove Feature or Program

Disable Wake-on-LAN if it is not needed within an environment.
M1037 Filter Network Traffic

Mitigation of some variants of this technique could be achieved through the use of stateful firewalls, depending upon how it is implemented.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0524 Traffic Signaling (Port-knock / magic-packet → firewall or service activation) – T1205 AN1448

A remote host sends a short sequence of failed connection attempts (RST/ICMP unreachable) to a set of closed ports. Within a brief window the endpoint (a) adds/enables a firewall rule or (b) a sniffer-backed process begins listening or opens a new socket, after which a successful connection occurs. Also detects Wake-on-LAN magic packets seen on local segment.
AN1449

Closed-port knock sequence from a remote IP followed by on-host firewall change (iptables/nftables) or daemon starts listening (socket open) and a successful TCP/UDP connect. Optional detection of libpcap/raw-socket sniffers spawning to watch for secret values.
AN1450

Remote knock sequence followed by PF/socketfilterfw rule update or a background process listening on a new port; then a successful TCP session. Also flags WoL magic packets on local segment.
AN1451

Crafted ‘synful knock’ patterns toward routers/switches (same src hits interface/broadcast/network address on same port in short order) followed by ACL/telnet/SSH enablement or module change. Detect device image/ACL updates then a new mgmt session.

References

  1. Hartrell, Greg. (2002, August). Get a handle on cd00r: The invisible backdoor. Retrieved October 13, 2018.
  2. Graham Holmes. (2015, October 8). Evolution of attacks on Cisco IOS devices. Retrieved October 19, 2020.
  3. Bill Hau, Tony Lee, Josh Homan. (2015, September 15). SYNful Knock - A Cisco router implant - Part I. Retrieved November 17, 2024.
  4. Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020.
  5. Abrams, L. (2021, January 14). Ryuk Ransomware Uses Wake-on-Lan To Encrypt Offline Devices. Retrieved February 11, 2021.
  6. AMD. (1995, November 1). Magic Packet Technical White Paper. Retrieved February 17, 2021.
  7. Lin, M. et al. (2024, February 27). Cutting Edge, Part 3: Investigating Ivanti Connect Secure VPN Exploitation and Persistence Attempts. Retrieved March 1, 2024.
  8. Sebastian Feldmann. (2018, February 14). Chaos: a Stolen Backdoor Rising Again. Retrieved March 5, 2018.
  9. Black Lotus Labs. (2025, January 23). The J-Magic Show: Magic Packets and Where to find them. Retrieved February 17, 2025.
  10. Park, S. (2024, June 27). Kimsuky deploys TRANSLATEXT to target South Korean academia. Retrieved October 14, 2024.
  11. M.Leveille, M., Sanmillan, I. (2021, February 2). Kobalos – A complex Linux threat to high performance computing infrastructure. Retrieved August 24, 2021.
  12. M.Leveille, M., Sanmillan, I. (2021, January). A WILD KOBALOS APPEARS Tricksy Linux malware goes after HPCs. Retrieved August 24, 2021.
  13. CSIRT CTI. (2024, January 23). Stately Taurus Targets Myanmar Amidst Concerns over Military Junta’s Handling of Rebel Attacks. Retrieved August 4, 2025.
  14. Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021.
  15. Leonardo. (2020, May 29). MALWARE TECHNICAL INSIGHT TURLA “Penquin_x64”. Retrieved March 11, 2021.
  1. Baumgartner, K. and Raiu, C. (2014, December 8). The ‘Penquin’ Turla. Retrieved March 11, 2021.
  2. Golo Muhr, Joshua Chung. (2025, June 23). Hive0154 aka Mustang Panda shifts focus on Tibetan community to deploy Pubload backdoor. Retrieved August 4, 2025.
  3. Golo Muhr, Joshua Chung. (2025, May 15). Hive0154 targeting US, Philippines, Pakistan and Taiwan in suspected espionage campaign. Retrieved August 4, 2025.
  4. Nick Dai, Vickie Su, Sunny Lu. (2022, November 18). Earth Preta Spear-Phishing Governments Worldwide. Retrieved August 4, 2025.
  5. Unit42. (2024, March 26). ASEAN Entities in the Spotlight: Chinese APT Group Targeting. Retrieved August 4, 2025.
  6. Lamparski, L. et al. (2025, March 11). Ghost in the Router: China-Nexus Espionage Actor UNC3886 Targets Juniper Routers. Retrieved June 24, 2025.
  7. Punsaen Boonyakarn, Shawn Chew, Logeswaran Nadarajan, Mathew Potaczek, Jakub Jozwiak, and Alex Marvi. (2024, June 18). Cloaked and Covert: Uncovering UNC3886 Espionage Operations. Retrieved September 24, 2024.
  8. Marvi, A. et al.. (2023, March 16). Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation. Retrieved March 22, 2023.
  9. Nathaniel Morales, Nick Dai. (2025, February 18). Earth Preta Mixes Legitimate and Malicious Components to Sidestep Detection. Retrieved September 10, 2025.
  10. Sunny Lu, Vickie Su, Nick Dai. (2023, June 14). Behind the Scenes: Unveiling the Hidden Workings of Earth Preta. Retrieved September 10, 2025.
  11. Fernando Mercês. (2016, September 5). Pokémon-themed Umbreon Linux Rootkit Hits x86, ARM Systems. Retrieved March 5, 2018.
  12. FBI et al. (2023, May 9). Hunting Russian Intelligence “Snake” Malware. Retrieved June 8, 2023.
  13. Chronicle Blog. (2019, May 15). Winnti: More than just Windows and Gates. Retrieved April 29, 2020.
  14. McLellan, T. et al. (2024, January 12). Cutting Edge: Suspected APT Targets Ivanti Connect Secure VPN in New Zero-Day Exploitation. Retrieved February 27, 2024.