T1001: T1001

Search IOCs, vulnerabilities, APT…

216.73.216.233

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 31/05/2017 23:30 · Modified 03/04/2026 21:34

Essential information

MITRE technique ID: T1001
Confidence: 100/100
Revoked: No
Published: 31/05/2017 23:30
Modified: 03/04/2026 21:34
Author / Source: The MITRE Corporation

Aliases

Data Obfuscation

Platforms

windows macos linux ESXi

Description

Adversaries may obfuscate command and control traffic to make it more difficult to detect.(Citation: Bitdefender FunnyDream Campaign November 2020) Command and control (C2) communications are hidden (but not necessarily encrypted) in an attempt to make the content more difficult to discover or decipher and to make the communication less conspicuous and hide commands from being seen. This encompasses many methods, such as adding junk data to protocol traffic, using steganography, or impersonating legitimate protocols.

Kill chain phases

Kill chain	Phase
mitre-attack	command-and-control

Marking (TLP)

External references

mitre-attack (T1001)
Bitdefender FunnyDream Campaign November 2020
University of Birmingham C2

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (38)

SAMBA SPIDER uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Gamaredon Group uses IRON TILDENPrimitive Bear

The MITRE Corporation Confidence 100

[Gamaredon Group](https://attack.mitre.org/groups/G0047) is a suspected Russian cyber espionage group that has targeted military, law enforcement, judiciary, non-profit, and non-governmental organizations in Ukraine since at least 2013. The name…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Thrip uses DRAGONFISHSpring Dragon

The MITRE Corporation Confidence 100

[Thrip](https://attack.mitre.org/groups/G0076) is an espionage group that has targeted satellite communications, telecoms, and defense contractor companies in the U.S. and Southeast Asia. The group uses custom malware as well…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Lazarus Group uses HIDDEN COBRAGuardians of Peace

The MITRE Corporation Confidence 100

[Lazarus Group](https://attack.mitre.org/groups/G0032) is a North Korean state-sponsored cyber threat group attributed to the Reconnaissance General Bureau (RGB). (Citation: US-CERT HIDDEN COBRA June 2017) (Citation: Treasury North Korean Cyber…

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT-Q-36 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
MirrorFace uses

AlienVault Confidence 100

[MirrorFace](https://attack.mitre.org/groups/G1054) is a People's Republic of China (PRC)-aligned cyberespionage actor believed to be a subgroup under the [menuPass](https://attack.mitre.org/groups/G0045) umbrella based on targeting, tools, and infrastructure overlaps. [MirrorFace](https://attack.mitre.org/groups/G1054) has…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Stonefly uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Diicot uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Vo1d uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT31 uses Violet TyphoonZIRCONIUM

The MITRE Corporation Confidence 100

[ZIRCONIUM](https://attack.mitre.org/groups/G0128) is a threat group operating out of China, active since at least 2017, that has targeted individuals associated with the 2020 US presidential election and prominent leaders…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Danabot uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
GhostSocks uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 4

1–12 of 38

Anycon uses

Family
CitriLoader uses

Family
WinWebDown uses

Family
CHAVECLOAK uses

Family
Korplug uses

The MITRE Corporation Confidence 100

[PlugX](https://attack.mitre.org/software/S0013) is a remote access tool (RAT) with modular plugins that has been used by multiple threat groups.(Citation: Lastline PlugX Analysis)(Citation: FireEye Clandestine Fox Part 2)(Citation: New DragonOK)(Citation:…

First seen 01/01/1970 · Last seen 16/11/5138 ·
AsyncRAT uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
BasicLoader uses
DBatLoader uses

Family
BeaverTail uses

Family
SYK Crypter uses
VSingle uses
Mispadu uses

Family

← Previous

Page / 7

25–36 of 78

Threat landscape — Belgium related

Confidence 100 18 CVEs 200 MITREs 200 Malwares 20 APTs 26 Tools
Inside Banana RAT: From Build Server to Banking … related

20 MITREs 8 Malwares 8 Observables 1 APT
Iranian MOIS Actors & the Cyber Crime Connection related

16 MITREs 7 Malwares 14 Observables 1 APT
Iranian APT Infrastructure in Focus: Mapping State-Aligned Clusters … related

19 MITREs 6 Malwares 5 Observables 1 APT
Major October 2025 Cyber Attacks Your SOC Can't … related

18 MITREs 10 Observables
Oracle E-Business Suite Zero-Day Exploited in Widespread Extortion … related

13 MITREs 4 Malwares 1 APT
GhostSocks: From Initial Access to Residential Proxy related

11 MITREs 2 Malwares 12 Observables 1 APT
Proactive ClickFix Threat Hunting with Hunt.io related

19 MITREs 2 Malwares
Operation ForumTroll exploits zero-days in Google Chrome related

16 MITREs 2 Malwares 1 APT
BADBOX 2.0 Targets Consumer Devices with Multiple Fraud … related

9 MITREs 1 Malware 59 Observables 1 APT
Long Live The Vo1d Botnet: New Variant Hits … related

20 MITREs 3 Malwares 48 Observables 1 APT
Erudite Mogwai Uses Custom Stowaway to Stealthily Advance … related

20 MITREs 3 Malwares 12 Observables 1 APT

← Previous

Page / 2

1–12 of 20

Vulnerabilities (CVE) (21)

CVE-2025-61882 KEV targets

9.8 Critical

Vulnerability in the Oracle Concurrent Processing product of Oracle E-Business Suite (component: BI Publisher Integration). Supported versions that are affected are 12.2.3-12.2.14. …

Attack vector: Network
Published: 06/10/2025
Modified: 21/12/2025

Modified

CVE-2024-21887 KEV targets

9.1 Critical

Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure contain a command injection vulnerability in the web …

Attack vector: Network
Published: 10/01/2024
Modified: 27/05/2026

CVE-2022-21907 targets

9.8 Critical

HTTP Protocol Stack Remote Code Execution Vulnerability

Attack vector: NETWORK
Published: 11/01/2022
Modified: 20/12/2025

CVE-2021-44228 KEV targets

10.0 Critical

Apache Log4j2 contains a vulnerability where JNDI features do not protect against attacker-controlled JNDI-related endpoints, allowing for remote code execution.

Attack vector: Network
Published: 10/12/2021
Modified: 27/05/2026

CVE-2022-0543 targets

CVE-2019-0797 KEV targets

Microsoft Win32k contains a privilege escalation vulnerability when the Win32k component fails to properly handle objects in memory. Successful exploitation allows an …

Published: 03/11/2021
Modified: 29/05/2026

CVE-2024-47575 KEV targets

9.8 Critical

A missing authentication for critical function in FortiManager 7.6.0, FortiManager 7.4.0 through 7.4.4, FortiManager 7.2.0 through 7.2.7, FortiManager 7.0.0 through 7.0.12, FortiManager …

Attack vector: Network
Published: 23/10/2024
Modified: 21/12/2025

Analyzed

CVE-2024-43451 KEV targets

6.5 Medium

Microsoft Windows contains an NTLMv2 hash spoofing vulnerability that could result in disclosing a user's NTLMv2 hash to an attacker via a …

Attack vector: Network
Published: 12/11/2024
Modified: 27/05/2026

Analyzed

CVE-2025-2783 KEV targets

8.3 High

Google Chromium Mojo on Windows contains a sandbox escape vulnerability caused by a logic error, which results from an incorrect handle being …

Attack vector: Network
Published: 27/03/2025
Modified: 21/12/2025

Analyzed

CVE-2023-46805 KEV targets

8.2 High

Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure gateways contain an authentication bypass vulnerability in the …

Attack vector: Network
Published: 10/01/2024
Modified: 27/05/2026

CVE-2018-0171 KEV targets

9.8 Critical

Cisco IOS and IOS XE Software improperly validates packet data, allowing an unauthenticated, remote attacker to trigger a reload of an affected …

Attack vector: NETWORK
Published: 03/11/2021
Modified: 14/01/2026

CVE-2021-22986 KEV targets

F5 BIG-IP and BIG-IQ Centralized Management contain a remote code execution vulnerability in the iControl REST interface that allows unauthenticated attackers with …

Published: 03/11/2021
Modified: 20/12/2025

← Previous

Page / 2

1–12 of 21

Steganography subtechnique-of

T1001.002 MITRE
T1001.003 subtechnique-of

Protocol or Service Impersonation MITRE

Tool (1)

evilginx2 uses

The MITRE Corporation Confidence 75

[evilginx2](https://attack.mitre.org/software/S9003) is an open-source adversary-in-the-middle (AiTM) attack framework based on the open-source nginx web server. [evilginx2](https://attack.mitre.org/software/S9003) can be used as a reverse proxy between victims and legitimate web…

Campaign (1)

Operation Wocao uses

Contact About Legal notice Privacy policy Terms of use

T1001: T1001

Essential information

Aliases

Platforms

Description

Kill chain phases

Marking (TLP)

External references

Related entities

Intrusion sets (APT) (38)

Malware (78)

Reports (20)

Vulnerabilities (CVE) (21)

Attack patterns (MITRE) (2)

Tool (1)

Campaign (1)