Ingress Tool Transfer

Adversaries may transfer tools or other files from an external system onto a compromised device to facilitate follow-on actions. Files may be copied from an external adversary-controlled system through the command and control channel or through alternate protocols with another tool such as FTP.

ID: T1544
Sub-techniques:  No sub-techniques
Tactic Type: Post-Adversary Device Access
Platforms: Android, iOS
Version: 2.2
Created: 21 January 2020
Last Modified: 14 August 2023

Procedure Examples

ID Name Description
S1061 AbstractEmu

AbstractEmu can receive files from the C2 at runtime.[1]

C0033 C0033

During C0033, PROMETHIUM used StrongPity to receive files from the C2 and execute them via the parent application.[2]

S1083 Chameleon

Chameleon can download HTML overlay pages after installation.[3]

S0485 Mandrake

Mandrake can install attacker-specified components or applications.[4]

S0407 Monokle

Monokle can download attacker-specified files.[5]

S1126 Phenakite

Phenakite can download additional malware to the victim device.[6]

S0326 RedDrop

RedDrop uses ads or other links within websites to encourage users to download the malicious apps using a complex content distribution network (CDN) and series of network redirects. RedDrop also downloads additional components (APKs, JAR files) from different C2 servers.[7]

S1055 SharkBot

SharkBot can download attacker-specified files.[8]

S1082 Sunbird

Sunbird can download adversary specified content from FTP shares.[9]

S0418 ViceLeaker

ViceLeaker can download attacker-specified files.[10]


This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.


ID Data Source Data Component Detects
DS0041 Application Vetting Network Communication

Application vetting services could look for connections to unknown domains or IP addresses.

Permissions Requests

Application vetting services may indicate precisely what content was requested during application execution.