T1132: T1132

Search IOCs, vulnerabilities, APT…

216.73.216.220

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 16/12/2025 19:38 · Modified 27/03/2026 01:11

Essential information

MITRE technique ID: T1132
Confidence: 100/100
Revoked: No
Published: 16/12/2025 19:38
Modified: 27/03/2026 01:11
Author / Source: The MITRE Corporation

Aliases

Data Encoding

Platforms

windows macos linux ESXi

Description

Adversaries may encode data to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system. Use of data encoding may adhere to existing protocol specifications and includes use of ASCII, Unicode, Base64, MIME, or other binary-to-text and character encoding systems.(Citation: Wikipedia Binary-to-text Encoding) (Citation: Wikipedia Character Encoding) Some data encoding systems may also result in data compression, such as gzip.

Kill chain phases

Kill chain	Phase
mitre-attack	command-and-control

Marking (TLP)

External references

Wikipedia Binary-to-text Encoding
Wikipedia Character Encoding
mitre-attack (T1132)
University of Birmingham C2

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (63)

Sparkling Pisces uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
STARDUST CHOLLIMA uses NICKEL GLADSTONEBeagleBoyz

The MITRE Corporation Confidence 100

[APT38](https://attack.mitre.org/groups/G0082) is a North Korean state-sponsored threat group that specializes in financial cyber operations; it has been attributed to the Reconnaissance General Bureau.(Citation: CISA AA20-239A BeagleBoyz August 2020)…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Russian APT uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
BRONZE BUTLER uses REDBALDKNIGHTTick

The MITRE Corporation Confidence 100

[BRONZE BUTLER](https://attack.mitre.org/groups/G0060) is a cyber espionage group with likely Chinese origins that has been active since at least 2008. The group primarily targets Japanese organizations, particularly those in…

First seen 01/01/1970 · Last seen 16/11/5138 ·
GhostEmperor uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
GhostSocks uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Inception Framework uses Cloud AtlasInception

The MITRE Corporation Confidence 100

[Inception](https://attack.mitre.org/groups/G0100) is a cyber espionage group active since at least 2014. The group has targeted multiple industries and governmental entities primarily in Russia, but has also been active…

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT-Q-27 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Water Gamayun uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
VanHelsingRaaS uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Lazarus Group uses HIDDEN COBRAGuardians of Peace

The MITRE Corporation Confidence 100

[Lazarus Group](https://attack.mitre.org/groups/G0032) is a North Korean state-sponsored cyber threat group attributed to the Reconnaissance General Bureau (RGB). (Citation: US-CERT HIDDEN COBRA June 2017) (Citation: Treasury North Korean Cyber…

First seen 01/01/1970 · Last seen 16/11/5138 ·
8220 Gang related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 6

13–24 of 63

ShadowPad - S0596 uses

Family
Ntospy uses
Dtrack - S0567 uses

Family
Wpeeper uses

Family
LockBit uses

Family
script.py uses
HappyDoor uses

Family
agent2.malz uses

Family
0debug uses

Family
CoinMiner uses

Family
Latrodectus uses

Family
TrackBak uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 9

1–12 of 103

Invisible Sting: Over 4000 Outdated Routers Compromised by … related

AlienVault Confidence 100 3 CVEs 20 MITREs 1 Malware 23 IOCs 23 Observables
Investigation of email-based attack delivering MediaFire ZIP file … related

AlienVault Confidence 100 14 MITREs 1 Malware 4 IOCs 4 Observables
The Devil, Eight Million Emails, and a Whole … related

AlienVault Confidence 100 16 MITREs 14 IOCs 14 Observables
Travel Phishing and Cyber Attacks are Surging in … related

16 MITREs
A First Look at a New Post-Exploitation Red … related

20 MITREs 1 Malware 1 Observable
Mini Shai-Hulud, Miasma, and Hades Worms Target Bioinformatics … related

AlienVault Confidence 100 19 MITREs 3 Malwares 2 IOCs 2 Observables
Impersonation, Click Hijacking, and TDS: Inside a Malware … related

AlienVault Confidence 100 20 MITREs 3 Malwares 64 IOCs 64 Observables
Threat landscape — Belgium related

Confidence 100 18 CVEs 200 MITREs 200 Malwares 20 APTs 26 Tools
Threat landscape — insurance related

Confidence 100 199 MITREs 11 APTs
RemotePE: The Lazarus RAT that lives in memory related

20 MITREs 6 Malwares 10 Observables 1 APT
Infostealer Campaign Using Trading App as Lure related

20 MITREs 2 Malwares 4 Observables 1 APT
Kazuar: Anatomy of a nation-state botnet related

AlienVault Confidence 100 24 MITREs 2 Malwares 4 IOCs 4 Observables 1 APT

← Previous

Page / 5

1–12 of 50

Vulnerabilities (CVE) (73)

CVE-2018-0171 KEV targets

9.8 Critical

Cisco IOS and IOS XE Software improperly validates packet data, allowing an unauthenticated, remote attacker to trigger a reload of an affected …

Attack vector: NETWORK
Published: 03/11/2021
Modified: 14/01/2026

CVE-2017-3506 KEV targets

7.4 High

Oracle WebLogic Server, a product within the Fusion Middleware suite, contains an OS command injection vulnerability that allows an attacker to execute …

Attack vector: NETWORK
Complexity: HIGH
Published: 24/04/2017
Modified: 22/04/2026

CWE-78

CVE-2025-29824 KEV targets

7.8 High

Microsoft Windows Common Log File System (CLFS) Driver contains a use-after-free vulnerability that allows an authorized attacker to elevate privileges locally.

Attack vector: Local
Published: 08/04/2025
Modified: 21/12/2025

Undergoing Analysis

CVE-2025-53771 targets

6.5 Medium

Improper limitation of a pathname to a restricted directory ('path traversal') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing …

Attack vector: NETWORK
Published: 21/07/2025
Modified: 21/12/2025

Received

CVE-2021-34473 KEV targets

Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution.

Published: 03/11/2021
Modified: 29/05/2026

CVE-2025-0944 targets

6.3 Medium

A vulnerability was found in itsourcecode Tailoring Management System 1.0. It has been rated as critical. This issue affects some unknown processing …

Attack vector: NETWORK
Published: 01/02/2025
Modified: 21/12/2025

Analyzed

CVE-2025-6218 KEV targets

RARLAB WinRAR contains a path traversal vulnerability allowing an attacker to execute code in the context of the current user.

Published: 09/12/2025
Modified: 21/12/2025

CVE-2025-61932 KEV targets

9.3 Critical

Lanscope Endpoint Manager (On-Premises) (Client program (MR) and Detection agent (DA)) improperly verifies the origin of incoming requests, allowing an attacker to …

Published: 22/10/2025
Modified: 21/12/2025

Received

CVE-2024-21887 KEV targets

9.1 Critical

Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure contain a command injection vulnerability in the web …

Attack vector: Network
Published: 10/01/2024
Modified: 27/05/2026

CVE-2025-27921 targets

6.1 Medium

A reflected cross-site scripting (XSS) vulnerability was discovered in Output Messenger before 2.0.63, where unsanitized input could be injected into the web …

Attack vector: NETWORK
Published: 05/05/2025
Modified: 21/12/2025

Awaiting Analysis

CVE-2019-18935 KEV targets

Progress Telerik UI for ASP.NET AJAX contains a deserialization of untrusted data vulnerability through RadAsyncUpload which leads to code execution on the …

Published: 03/11/2021
Modified: 20/12/2025

CVE-2023-50358 targets

← Previous

Page / 7

1–12 of 73

Mythic uses

The MITRE Corporation Confidence 100

[Mythic](https://attack.mitre.org/software/S0699) is an open source, cross-platform post-exploitation/command and control platform. [Mythic](https://attack.mitre.org/software/S0699) is designed to "plug-n-play" with various agents and communication channels.(Citation: Mythic Github)(Citation: Mythic SpecterOps)(Citation: Mythc Documentation) Deployed…

Contact About Legal notice Privacy policy Terms of use

T1132: T1132

Essential information

Aliases

Platforms

Description

Kill chain phases

Marking (TLP)

External references

Related entities

Intrusion sets (APT) (63)

Malware (103)

Reports (50)

Vulnerabilities (CVE) (73)

Tool (1)