216.73.217.22

T1071.003: T1071.003

View on MITRE ATT&CK The MITRE Corporation · Published 16/12/2025 19:38 · Modified 27/04/2026 16:43

Essential information

MITRE technique ID
T1071.003
Confidence
100/100
Revoked
No
Published
16/12/2025 19:38
Modified
27/04/2026 16:43
Author / Source
The MITRE Corporation

Aliases

Mail Protocols

Platforms

windows macos linux Network Devices

Description

Adversaries may communicate using application layer protocols associated with electronic mail delivery to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. Protocols such as SMTP/S, POP3/S, and IMAP that carry electronic mail may be very common in environments. Packets produced from these protocols may have many fields and headers in which data can be concealed. Data could also be concealed within the email messages themselves. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.(Citation: FireEye APT28)

Kill chain phases

Kill chainPhase
mitre-attack command-and-control

Marking (TLP)

TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.

External references

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (10)

  • Kimsuky uses Black BansheeVelvet Chollima
    The MITRE Corporation Confidence 100

    [Kimsuky](https://attack.mitre.org/groups/G0094) is a North Korea-based cyber espionage group that has been active since at least 2012. The group initially targeted South Korean government agencies, think tanks, and subject-matter …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 04/05/2026 16:33
  • APT28 uses IRON TWILIGHTSNAKEMACKEREL
    The MITRE Corporation Confidence 100

    [APT28](https://attack.mitre.org/groups/G0007) is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.(Citation: NSA/FBI Drovorub …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 08/04/2026 13:02
  • APT32 uses SeaLotusAPT-C-00
    The MITRE Corporation Confidence 100

    [APT32](https://attack.mitre.org/groups/G0050) is a suspected Vietnam-based threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as foreign governments, …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:13
  • GopherWhisper uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 27/04/2026 16:43 · Modified 27/04/2026 16:43
  • Earth Baxia uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 07:15 · Modified 21/12/2025 07:15
  • Contagious Interview uses Gwisin GangTAG-121
    The MITRE Corporation Confidence 100

    [Contagious Interview](https://attack.mitre.org/groups/G1052) is a North Korea–aligned threat group active since 2023. The group conducts both cyberespionage and financially motivated operations, including the theft of cryptocurrency and user credentials. …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:14
  • Turla uses IRON HUNTERGroup 88
    The MITRE Corporation Confidence 100

    [Turla](https://attack.mitre.org/groups/G0010) is a cyber espionage threat group that has been attributed to Russia's Federal Security Service (FSB). They have compromised victims in over 50 countries since at least …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 04/05/2026 16:33
  • Turla, UNC4210 uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 20/12/2025 23:18 · Modified 20/12/2025 23:18
  • Agent Tesla uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 07:11 · Modified 21/12/2025 07:11
  • SilverTerrier uses
    The MITRE Corporation Confidence 100

    [SilverTerrier](https://attack.mitre.org/groups/G0083) is a Nigerian threat group that has been seen active since 2014. [SilverTerrier](https://attack.mitre.org/groups/G0083) mainly targets organizations in high technology, higher education, and manufacturing.(Citation: Unit42 SilverTerrier 2018)(Citation: Unit42 …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:14

Malware (37)

  • FriendDelivery uses
    Family
    Published 23/04/2026 14:37 · Modified 23/04/2026 14:37
  • NavRAT
  • EAGLEDOOR uses
    Family
    Published 20/09/2024 11:22 · Modified 20/09/2024 11:22
  • SWORDLDR uses
    Family
    Published 20/09/2024 11:22 · Modified 20/09/2024 11:22
  • ANDROMEDA
  • LaxGopher uses
    Family
    Published 23/04/2026 14:37 · Modified 23/04/2026 14:37
  • IMAPLoader
  • Cannon
  • PowerExchange
  • CompactGopher uses
    Family
    Published 23/04/2026 14:37 · Modified 23/04/2026 14:37
  • Kazuar - S0265 uses
    Family
    Published 28/05/2026 19:56 · Modified 28/05/2026 19:56
  • JabGopher uses
    Family
    Published 23/04/2026 14:37 · Modified 23/04/2026 14:37
  • Zebrocy
  • SUGARDUMP
  • RIPCOY uses
    Family
    Published 20/09/2024 11:22 · Modified 20/09/2024 11:22
  • BadPatch uses
    Family The MITRE Corporation Confidence 100

    [BadPatch](https://attack.mitre.org/software/S0337) is a Windows Trojan that was used in a Gaza Hackers-linked campaign.(Citation: Unit 42 BadPatch Oct 2017)

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:37 · Modified 27/03/2026 01:05
  • CORESHELL
  • Goopy
  • RatGopher uses
    Family
    Published 23/04/2026 14:37 · Modified 23/04/2026 14:37
  • Cobalt Strike - S0154 uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 20/12/2025 19:39 · Modified 27/05/2026 21:40
  • Agent Tesla uses
    Family
    Published 28/05/2024 13:32 · Modified 28/05/2024 13:32
  • JPIN
  • CHOPSTICK
  • LunarMail uses
    Family
    Published 16/05/2024 09:35 · Modified 16/05/2024 09:35
  • BoxOfFriends uses
    Family
    Published 23/04/2026 14:37 · Modified 23/04/2026 14:37
  • Agent Tesla - S0331 uses
    Family
    Published 15/05/2026 15:23 · Modified 15/05/2026 15:23
  • ComRAT
  • Pelmeni uses
    Family
    Published 14/05/2026 20:10 · Modified 14/05/2026 20:10
  • RDAT uses
    Family The MITRE Corporation Confidence 100

    [RDAT](https://attack.mitre.org/software/S0495) is a backdoor used by the suspected Iranian threat group [OilRig](https://attack.mitre.org/groups/G0049). [RDAT](https://attack.mitre.org/software/S0495) was originally identified in 2017 and targeted companies in the telecommunications sector.(Citation: Unit42 RDAT July …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:36 · Modified 27/03/2026 01:03
  • KOPILUWAK
  • OLDBAIT
  • QUIETCANARY uses
    Family The MITRE Corporation Confidence 100

    [QUIETCANARY](https://attack.mitre.org/software/S1076) is a backdoor tool written in .NET that has been used since at least 2022 to gather and exfiltrate data from victim networks.(Citation: Mandiant Suspected Turla Campaign …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:37 · Modified 27/03/2026 01:05
  • SSLORDoor uses
    Family
    Published 23/04/2026 14:37 · Modified 23/04/2026 14:37
  • Remsec
  • Uroburos
  • LightNeuron
  • NightClub uses
    Family The MITRE Corporation Confidence 100

    [NightClub](https://attack.mitre.org/software/S1090) is a modular implant written in C++ that has been used by [MoustachedBouncer](https://attack.mitre.org/groups/G1019) since at least 2014.(Citation: MoustachedBouncer ESET August 2023)

    First seen 01/01/1970 · Last seen 16/11/5138 Published 27/09/2023 21:32 · Modified 27/03/2026 01:05

Reports (8)

Vulnerabilities (CVE) (1)

CVE-2024-36401 KEV
9.8 Critical

OSGeo GeoServer GeoTools contains an improper neutralization of directives in dynamically evaluated code vulnerability due to unsafely evaluating property names as XPath …

Attack vector
Network
Published
15/07/2024
Modified
21/12/2025

Attack patterns (MITRE) (1)

  • T1071 subtechnique-of
    Application Layer Protocol

Course Of Action (2)

  • Filter Network Traffic mitigates
  • Network Intrusion Prevention mitigates