T1001: T1001

Search IOCs, vulnerabilities, APT…

216.73.216.226

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 31/05/2017 23:30 · Modified 03/04/2026 21:34

Essential information

MITRE technique ID: T1001
Confidence: 100/100
Revoked: No
Published: 31/05/2017 23:30
Modified: 03/04/2026 21:34
Author / Source: The MITRE Corporation

Aliases

Data Obfuscation

Platforms

windows macos linux ESXi

Description

Adversaries may obfuscate command and control traffic to make it more difficult to detect.(Citation: Bitdefender FunnyDream Campaign November 2020) Command and control (C2) communications are hidden (but not necessarily encrypted) in an attempt to make the content more difficult to discover or decipher and to make the communication less conspicuous and hide commands from being seen. This encompasses many methods, such as adding junk data to protocol traffic, using steganography, or impersonating legitimate protocols.

Kill chain phases

Kill chain	Phase
mitre-attack	command-and-control

Marking (TLP)

External references

mitre-attack (T1001)
Bitdefender FunnyDream Campaign November 2020
University of Birmingham C2

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (38)

Erudite Mogwai related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
MOIS (Ministry of Intelligence and Security) related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Metador related

The MITRE Corporation Confidence 100

[Metador](https://attack.mitre.org/groups/G1013) is a suspected cyber espionage group that was first reported in September 2022. [Metador](https://attack.mitre.org/groups/G1013) has targeted a limited number of telecommunication companies, internet service providers, and universities…

First seen 01/01/1970 · Last seen 16/11/5138 ·
SHADOW-WATER-063 related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
September related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
SideCopy related

The MITRE Corporation Confidence 100

[SideCopy](https://attack.mitre.org/groups/G1008) is a Pakistani threat group that has primarily targeted South Asian countries, including Indian and Afghani government personnel, since at least 2019. [SideCopy](https://attack.mitre.org/groups/G1008)'s name comes from its…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Sponsoring Access related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Static Tundra related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
TA413 related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
TA428 related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
TA551 Shathak related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
UNC5812 related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 4

25–36 of 38

Manuscrypt uses

Family
DinDoor uses

Family
LimeRAT uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
CookiePlus uses

Family
Cotx uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Charamel Loader uses

Family
Redline uses

Family
SLOTHFULMEDIA uses
CookieTime uses

Family
YaRAT uses
Trojan:Linux/Mirai uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
GOLDVEIN.JAVA uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 7

1–12 of 78

Threat landscape — Belgium related

Confidence 100 18 CVEs 200 MITREs 200 Malwares 20 APTs 26 Tools
Inside Banana RAT: From Build Server to Banking … related

20 MITREs 8 Malwares 8 Observables 1 APT
Iranian MOIS Actors & the Cyber Crime Connection related

16 MITREs 7 Malwares 14 Observables 1 APT
Iranian APT Infrastructure in Focus: Mapping State-Aligned Clusters … related

19 MITREs 6 Malwares 5 Observables 1 APT
Major October 2025 Cyber Attacks Your SOC Can't … related

18 MITREs 10 Observables
Oracle E-Business Suite Zero-Day Exploited in Widespread Extortion … related

13 MITREs 4 Malwares 1 APT
GhostSocks: From Initial Access to Residential Proxy related

11 MITREs 2 Malwares 12 Observables 1 APT
Proactive ClickFix Threat Hunting with Hunt.io related

19 MITREs 2 Malwares
Operation ForumTroll exploits zero-days in Google Chrome related

16 MITREs 2 Malwares 1 APT
BADBOX 2.0 Targets Consumer Devices with Multiple Fraud … related

9 MITREs 1 Malware 59 Observables 1 APT
Long Live The Vo1d Botnet: New Variant Hits … related

20 MITREs 3 Malwares 48 Observables 1 APT
Erudite Mogwai Uses Custom Stowaway to Stealthily Advance … related

20 MITREs 3 Malwares 12 Observables 1 APT

← Previous

Page / 2

1–12 of 20

Vulnerabilities (CVE) (21)

CVE-2022-30190 KEV targets

A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An …

Published: 14/06/2022
Modified: 27/05/2026

CVE-2017-3506 KEV targets

7.4 High

Oracle WebLogic Server, a product within the Fusion Middleware suite, contains an OS command injection vulnerability that allows an attacker to execute …

Attack vector: NETWORK
Complexity: HIGH
Published: 24/04/2017
Modified: 22/04/2026

CWE-78

CVE-2023-21839 KEV targets

7.5 High

Oracle WebLogic Server contains an unspecified vulnerability that allows an unauthenticated attacker with network access via T3, IIOP, to compromise Oracle WebLogic …

Attack vector: Network
Published: 01/05/2023
Modified: 21/12/2025

CVE-2019-0859 KEV targets

Microsoft Win32k fails to properly handle objects in memory causing privilege escalation. Successful exploitation allows an attacker to run code in kernel …

Published: 03/11/2021
Modified: 29/05/2026

CVE-2023-20118 KEV targets

6.5 Medium

Multiple Cisco Small Business RV Series Routers contains a command injection vulnerability in the web-based management interface. Successful exploitation could allow an …

Attack vector: Network
Published: 03/03/2025
Modified: 21/12/2025

CVE-2025-53690 KEV targets

9.0 Critical

Sitecore Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud contain a deserialization of untrusted data vulnerability involving the …

Attack vector: Network
Published: 04/09/2025
Modified: 21/12/2025

CVE-2020-14882 KEV targets

Oracle WebLogic Server contains an unspecified vulnerability, which is assessed to allow for remote code execution, based on this vulnerability being related …

Published: 03/11/2021
Modified: 20/12/2025

CVE-2025-31324 KEV targets

10.0 Critical

SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries …

Attack vector: Network
Published: 29/04/2025
Modified: 21/12/2025

Received

CVE-2025-8110 KEV targets

8.7 High

Gogs contains a path traversal vulnerability affecting improper Symbolic link handling in the PutContents API that could allow for code execution.

Attack vector: NETWORK
Published: 20/12/2025
Modified: 22/01/2026

Awaiting Analysis

← Previous

Page / 2

13–21 of 21

Steganography subtechnique-of

T1001.002 MITRE
T1001.003 subtechnique-of

Protocol or Service Impersonation MITRE

Tool (1)

evilginx2 uses

The MITRE Corporation Confidence 75

[evilginx2](https://attack.mitre.org/software/S9003) is an open-source adversary-in-the-middle (AiTM) attack framework based on the open-source nginx web server. [evilginx2](https://attack.mitre.org/software/S9003) can be used as a reverse proxy between victims and legitimate web…

Campaign (1)

Operation Wocao uses

Contact About Legal notice Privacy policy Terms of use

T1001: T1001

Essential information

Aliases

Platforms

Description

Kill chain phases

Marking (TLP)

External references

Related entities

Intrusion sets (APT) (38)

Malware (78)

Reports (20)

Vulnerabilities (CVE) (21)

Attack patterns (MITRE) (2)

Tool (1)

Campaign (1)