216.73.217.22

T1090.004: T1090.004

View on MITRE ATT&CK The MITRE Corporation · Published 16/12/2025 19:38 · Modified 20/04/2026 12:51

Essential information

MITRE technique ID
T1090.004
Confidence
100/100
Revoked
No
Published
16/12/2025 19:38
Modified
20/04/2026 12:51
Author / Source
The MITRE Corporation

Aliases

Domain Fronting

Platforms

windows macos linux ESXi

Description

Adversaries may take advantage of routing schemes in Content Delivery Networks (CDNs) and other services which host multiple domains to obfuscate the intended destination of HTTPS traffic or traffic tunneled through HTTPS. (Citation: Fifield Blocking Resistent Communication through domain fronting 2015) Domain fronting involves using different domain names in the SNI field of the TLS header and the Host field of the HTTP header. If both domains are served from the same CDN, then the CDN may route to the address specified in the HTTP header after unwrapping the TLS header. A variation of the the technique, "domainless" fronting, utilizes a SNI field that is left blank; this may allow the fronting to work even when the CDN attempts to validate that the SNI and HTTP Host fields match (if the blank SNI fields are ignored). For example, if domain-x and domain-y are customers of the same CDN, it is possible to place domain-x in the TLS header and domain-y in the HTTP header. Traffic will appear to be going to domain-x, however the CDN may route it to domain-y.

Kill chain phases

Kill chainPhase
mitre-attack command-and-control

Marking (TLP)

TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.

External references

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (8)

  • CozyDuke uses IRON RITUALIRON HEMLOCK
    The MITRE Corporation Confidence 100

    [APT29](https://attack.mitre.org/groups/G0016) is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).(Citation: White House Imposing Costs RU Gov April 2021)(Citation: UK Gov Malign RIS Activity April …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 04/05/2026 16:33
  • MRxC0DER uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 05:45 · Modified 21/12/2025 05:45
  • TaxOff uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 08:39 · Modified 21/12/2025 08:39
  • Gamaredon uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 20/12/2025 20:11 · Modified 20/12/2025 20:11
  • OilRig uses COBALT GYPSYIRN2
    The MITRE Corporation Confidence 100

    [OilRig](https://attack.mitre.org/groups/G0049) is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:13
  • Sea Turtle uses Teal KurmaCosmic Wolf
    The MITRE Corporation Confidence 100

    [Sea Turtle](https://attack.mitre.org/groups/G1041) is a Türkiye-linked threat actor active since at least 2017 performing espionage and service provider compromise operations against victims in Asia, Europe, and North America. [Sea …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:14
  • Earth Longzhi uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 20/12/2025 22:53 · Modified 20/12/2025 22:53
  • APT41 uses Wicked PandaBrass Typhoon
    The MITRE Corporation Confidence 100

    [APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:14

Malware (18)

  • GammaSteel uses
    Family
    Published 08/06/2026 10:30 · Modified 08/06/2026 10:30
  • Veaty uses
    Family
    Published 12/09/2024 08:21 · Modified 12/09/2024 08:21
  • GammaWorm uses
    Family
    Published 04/06/2026 13:57 · Modified 04/06/2026 13:57
  • ScrambleCross
  • Caffeine uses
    Family
    Published 02/07/2024 15:45 · Modified 02/07/2024 15:45
  • StealthVector uses
    Family
    Published 09/08/2024 20:15 · Modified 09/08/2024 20:15
  • GammaWipe uses
    Family
    Published 04/06/2026 13:57 · Modified 04/06/2026 13:57
  • StealthMutant
  • Trinper uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 08:39 · Modified 21/12/2025 08:39
  • Cobalt Strike uses
    Family
    Published 16/12/2024 14:25 · Modified 16/12/2024 14:25
  • procburner
  • GammaPhish uses
    Family
    Published 04/06/2026 13:57 · Modified 04/06/2026 13:57
  • avburner
  • GammaLoad uses
    Family
    Published 04/06/2026 13:57 · Modified 04/06/2026 13:57
  • SMOKEDHAM
  • Spearal uses
    Family
    Published 12/09/2024 08:21 · Modified 12/09/2024 08:21
  • CacheHttp uses
    Family
    Published 12/09/2024 08:21 · Modified 12/09/2024 08:21
  • Cobalt Strike - S0154 uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 20/12/2025 19:39 · Modified 27/05/2026 21:40

Reports (7)

Vulnerabilities (CVE) (2)

CVE-2019-16098
7.8 High

The driver in Micro-Star MSI Afterburner 4.6.2.15658 (aka RTCore64.sys and RTCore32.sys) allows any authenticated user to read and write to arbitrary memory, …

Attack vector
LOCAL
Published
11/09/2019
Modified
20/12/2025
CVE-2021-26855 KEV

Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution. This vulnerability is part of the ProxyLogon exploit chain.

Published
03/11/2021
Modified
20/12/2025

Attack patterns (MITRE) (1)

  • T1090 subtechnique-of
    Proxy

Tool (2)

  • Mythic uses
    The MITRE Corporation Confidence 100

    [Mythic](https://attack.mitre.org/software/S0699) is an open source, cross-platform post-exploitation/command and control platform. [Mythic](https://attack.mitre.org/software/S0699) is designed to "plug-n-play" with various agents and communication channels.(Citation: Mythic Github)(Citation: Mythic SpecterOps)(Citation: Mythc Documentation) Deployed …

    Published 26/03/2022 02:38 · Modified 27/03/2026 01:07
  • meek uses
    The MITRE Corporation Confidence 100

    [meek](https://attack.mitre.org/software/S0175) is an open-source Tor plugin that tunnels Tor traffic through HTTPS connections.

    Published 16/01/2018 17:13 · Modified 27/03/2026 01:07

Course Of Action (1)

  • SSL/TLS Inspection mitigates