Exfiltration Over C2 Channel

Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications.

ID: T1646
Sub-techniques:  No sub-techniques
Tactic Type: Post-Adversary Device Access
Tactic: Exfiltration
Platforms: Android, iOS
Version: 1.0
Created: 01 April 2022
Last Modified: 08 April 2022

Procedure Examples

ID Name Description
S0507 eSurv

eSurv has exfiltrated data using HTTP PUT requests.[1]

S0551 GoldenEagle

GoldenEagle has exfiltrated data via both SMTP and HTTP.[2]

S0421 GolfSpy

GolfSpy exfiltrates data using HTTP POST requests.[3]

C0016 Operation Dust Storm

During Operation Dust Storm, the threat actors used Android backdoors that would send information and data from a victim's mobile device to the C2 servers.[4]

S0399 Pallas

Pallas exfiltrates data using HTTP.[5]

S0326 RedDrop

RedDrop uses standard HTTP for exfiltration.[6]

S0424 Triada

Triada utilized HTTP to exfiltrate data through POST requests to the command and control server.[7]

S0418 ViceLeaker

ViceLeaker uses HTTP data exfiltration.[8][9]

S0490 XLoader for iOS

XLoader for iOS has exfiltrated data using HTTP requests.[10]


This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.


Exfiltration over C2 channel can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.