T1001: T1001

Search IOCs, vulnerabilities, APT…

216.73.216.233

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 31/05/2017 23:30 · Modified 03/04/2026 21:34

Essential information

MITRE technique ID: T1001
Confidence: 100/100
Revoked: No
Published: 31/05/2017 23:30
Modified: 03/04/2026 21:34
Author / Source: The MITRE Corporation

Aliases

Data Obfuscation

Platforms

windows macos linux ESXi

Description

Adversaries may obfuscate command and control traffic to make it more difficult to detect.(Citation: Bitdefender FunnyDream Campaign November 2020) Command and control (C2) communications are hidden (but not necessarily encrypted) in an attempt to make the content more difficult to discover or decipher and to make the communication less conspicuous and hide commands from being seen. This encompasses many methods, such as adding junk data to protocol traffic, using steganography, or impersonating legitimate protocols.

Kill chain phases

Kill chain	Phase
mitre-attack	command-and-control

Marking (TLP)

External references

mitre-attack (T1001)
Bitdefender FunnyDream Campaign November 2020
University of Birmingham C2

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (38)

SAMBA SPIDER uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Gamaredon Group uses IRON TILDENPrimitive Bear

The MITRE Corporation Confidence 100

[Gamaredon Group](https://attack.mitre.org/groups/G0047) is a suspected Russian cyber espionage group that has targeted military, law enforcement, judiciary, non-profit, and non-governmental organizations in Ukraine since at least 2013. The name…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Thrip uses DRAGONFISHSpring Dragon

The MITRE Corporation Confidence 100

[Thrip](https://attack.mitre.org/groups/G0076) is an espionage group that has targeted satellite communications, telecoms, and defense contractor companies in the U.S. and Southeast Asia. The group uses custom malware as well…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Lazarus Group uses HIDDEN COBRAGuardians of Peace

The MITRE Corporation Confidence 100

[Lazarus Group](https://attack.mitre.org/groups/G0032) is a North Korean state-sponsored cyber threat group attributed to the Reconnaissance General Bureau (RGB). (Citation: US-CERT HIDDEN COBRA June 2017) (Citation: Treasury North Korean Cyber…

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT-Q-36 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
MirrorFace uses

AlienVault Confidence 100

[MirrorFace](https://attack.mitre.org/groups/G1054) is a People's Republic of China (PRC)-aligned cyberespionage actor believed to be a subgroup under the [menuPass](https://attack.mitre.org/groups/G0045) umbrella based on targeting, tools, and infrastructure overlaps. [MirrorFace](https://attack.mitre.org/groups/G1054) has…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Stonefly uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Diicot uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Vo1d uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT31 uses Violet TyphoonZIRCONIUM

The MITRE Corporation Confidence 100

[ZIRCONIUM](https://attack.mitre.org/groups/G0128) is a threat group operating out of China, active since at least 2017, that has targeted individuals associated with the 2020 US presidential election and prominent leaders…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Danabot uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
GhostSocks uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 4

1–12 of 38

Manuscrypt uses

Family
DinDoor uses

Family
LimeRAT uses

Family
CookiePlus uses

Family
Cotx uses
Charamel Loader uses

Family
Redline uses

Family
SLOTHFULMEDIA uses
CookieTime uses

Family
YaRAT uses
Trojan:Linux/Mirai uses
GOLDVEIN.JAVA uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 7

1–12 of 78

Threat landscape — Belgium related

Confidence 100 18 CVEs 200 MITREs 200 Malwares 20 APTs 26 Tools
Inside Banana RAT: From Build Server to Banking … related

20 MITREs 8 Malwares 8 Observables 1 APT
Iranian MOIS Actors & the Cyber Crime Connection related

16 MITREs 7 Malwares 14 Observables 1 APT
Iranian APT Infrastructure in Focus: Mapping State-Aligned Clusters … related

19 MITREs 6 Malwares 5 Observables 1 APT
Major October 2025 Cyber Attacks Your SOC Can't … related

18 MITREs 10 Observables
Oracle E-Business Suite Zero-Day Exploited in Widespread Extortion … related

13 MITREs 4 Malwares 1 APT
GhostSocks: From Initial Access to Residential Proxy related

11 MITREs 2 Malwares 12 Observables 1 APT
Proactive ClickFix Threat Hunting with Hunt.io related

19 MITREs 2 Malwares
Operation ForumTroll exploits zero-days in Google Chrome related

16 MITREs 2 Malwares 1 APT
BADBOX 2.0 Targets Consumer Devices with Multiple Fraud … related

9 MITREs 1 Malware 59 Observables 1 APT
Long Live The Vo1d Botnet: New Variant Hits … related

20 MITREs 3 Malwares 48 Observables 1 APT
Erudite Mogwai Uses Custom Stowaway to Stealthily Advance … related

20 MITREs 3 Malwares 12 Observables 1 APT

← Previous

Page / 2

1–12 of 20

Vulnerabilities (CVE) (21)

CVE-2022-30190 KEV targets

A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An …

Published: 14/06/2022
Modified: 27/05/2026

CVE-2017-3506 KEV targets

7.4 High

Oracle WebLogic Server, a product within the Fusion Middleware suite, contains an OS command injection vulnerability that allows an attacker to execute …

Attack vector: NETWORK
Complexity: HIGH
Published: 24/04/2017
Modified: 22/04/2026

CWE-78

CVE-2023-21839 KEV targets

7.5 High

Oracle WebLogic Server contains an unspecified vulnerability that allows an unauthenticated attacker with network access via T3, IIOP, to compromise Oracle WebLogic …

Attack vector: Network
Published: 01/05/2023
Modified: 21/12/2025

CVE-2019-0859 KEV targets

Microsoft Win32k fails to properly handle objects in memory causing privilege escalation. Successful exploitation allows an attacker to run code in kernel …

Published: 03/11/2021
Modified: 29/05/2026

CVE-2023-20118 KEV targets

6.5 Medium

Multiple Cisco Small Business RV Series Routers contains a command injection vulnerability in the web-based management interface. Successful exploitation could allow an …

Attack vector: Network
Published: 03/03/2025
Modified: 21/12/2025

CVE-2025-53690 KEV targets

9.0 Critical

Sitecore Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud contain a deserialization of untrusted data vulnerability involving the …

Attack vector: Network
Published: 04/09/2025
Modified: 21/12/2025

CVE-2020-14882 KEV targets

Oracle WebLogic Server contains an unspecified vulnerability, which is assessed to allow for remote code execution, based on this vulnerability being related …

Published: 03/11/2021
Modified: 20/12/2025

CVE-2025-31324 KEV targets

10.0 Critical

SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries …

Attack vector: Network
Published: 29/04/2025
Modified: 21/12/2025

Received

CVE-2025-8110 targets

8.7 High

Improper Symbolic link handling in the PutContents API in Gogs allows Local Execution of Code.

Published: 10/12/2025
Modified: 12/12/2025

Awaiting Analysis

← Previous

Page / 2

13–21 of 21

Steganography subtechnique-of

T1001.002 MITRE
T1001.003 subtechnique-of

Protocol or Service Impersonation MITRE

Tool (1)

evilginx2 uses

The MITRE Corporation Confidence 75

[evilginx2](https://attack.mitre.org/software/S9003) is an open-source adversary-in-the-middle (AiTM) attack framework based on the open-source nginx web server. [evilginx2](https://attack.mitre.org/software/S9003) can be used as a reverse proxy between victims and legitimate web…

Campaign (1)

Operation Wocao uses

Contact About Legal notice Privacy policy Terms of use

T1001: T1001

Essential information

Aliases

Platforms

Description

Kill chain phases

Marking (TLP)

External references

Related entities

Intrusion sets (APT) (38)

Malware (78)

Reports (20)

Vulnerabilities (CVE) (21)

Attack patterns (MITRE) (2)

Tool (1)

Campaign (1)