Ingress Tool Transfer

Adversaries may transfer tools or other files from an external system onto a compromised device to facilitate follow-on actions. Files may be copied from an external adversary-controlled system through the command and control channel or through alternate protocols with another tool such as FTP.

ID: T1544
Sub-techniques:  No sub-techniques
Tactic Type: Post-Adversary Device Access
Platforms: Android, iOS
Version: 2.0
Created: 21 January 2020
Last Modified: 06 April 2022

Procedure Examples

ID Name Description
S0485 Mandrake

Mandrake can install attacker-specified components or applications.[1]

S0407 Monokle

Monokle can download attacker-specified files.[2]

S0326 RedDrop

RedDrop uses ads or other links within websites to encourage users to download the malicious apps using a complex content distribution network (CDN) and series of network redirects. RedDrop also downloads additional components (APKs, JAR files) from different C2 servers.[3]

S0418 ViceLeaker

ViceLeaker can download attacker-specified files.[4]


This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.


Application vetting services could look for connections to unknown domains or IP addresses. Application vetting services may indicate precisely what content was requested during application execution.