T1406: Obfuscated Files or Information
Essential information
- MITRE technique ID
T1406- Confidence
- 100/100
- Revoked
- No
- Published
- 25/10/2017 16:48
- Modified
- 27/03/2026 01:41
- Author / Source
- The MITRE Corporation
Aliases
T1406
Platforms
android iOS
Description
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-mobile-attack | defense-evasion |
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.
Intrusion sets (APT) (7)
-
DONOT usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Sandworm usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[PROMETHIUM](https://attack.mitre.org/groups/G0056) is an activity group focused on espionage that has been active since at least 2012. The group has conducted operations globally with a heavy emphasis on Turkish…
First seen 01/01/1970 · Last seen 16/11/5138 · -
The MITRE Corporation Confidence 100
[Windshift](https://attack.mitre.org/groups/G0112) is a threat group that has been active since at least 2017, targeting specific individuals for surveillance in government departments and critical infrastructure across the Middle East.(Citation:…
First seen 01/01/1970 · Last seen 16/11/5138 · -
The MITRE Corporation Confidence 100
[Star Blizzard](https://attack.mitre.org/groups/G1033) is a cyber espionage and influence group originating in Russia that has been active since at least 2019. [Star Blizzard](https://attack.mitre.org/groups/G1033) campaigns align closely with Russian state…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Anatsa usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Evilnum usesThe MITRE Corporation Confidence 100
[Evilnum](https://attack.mitre.org/groups/G0120) is a financially motivated threat group that has been active since at least 2018.(Citation: ESET EvilNum July 2020)
First seen 01/01/1970 · Last seen 16/11/5138 ·
Malware (62)
-
DarkCrystal usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
TianySpy usesFamily The MITRE Corporation Confidence 100
[TianySpy](https://attack.mitre.org/software/S1056) is a mobile malware primarily spread by SMS phishing between September 30 and October 12, 2021. [TianySpy](https://attack.mitre.org/software/S1056) is believed to have targeted credentials associated with membership websites…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Crocodilus usesAlienVault Confidence 100
[Crocodilus](https://attack.mitre.org/software/S9004) is an Android banking Trojan that was discovered in March 2025. [Crocodilus](https://attack.mitre.org/software/S9004) targeted users worldwide, including Turkey, Poland, Argentina, Brazil, Spain, the United States, Indonesia and India.…
First seen 01/01/1970 · Last seen 16/11/5138 · -
NetSupport usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
HenBox usesFamily The MITRE Corporation Confidence 100
[HenBox](https://attack.mitre.org/software/S0544) is Android malware that attempts to only execute on Xiaomi devices running the MIUI operating system. [HenBox](https://attack.mitre.org/software/S0544) has primarily been used to target Uyghurs, a minority Turkic…
First seen 01/01/1970 · Last seen 16/11/5138 · -
SharkBot usesFamily The MITRE Corporation Confidence 100
[SharkBot](https://attack.mitre.org/software/S1055) is a banking malware, first discovered in October 2021, that tries to initiate money transfers directly from compromised devices by abusing Accessibility Services.(Citation: nccgroup_sharkbot_0322)
First seen 01/01/1970 · Last seen 16/11/5138 · -
Android Banking usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
FluBot usesFamily The MITRE Corporation Confidence 100
[FluBot](https://attack.mitre.org/software/S1067) is a multi-purpose mobile banking malware that was first observed in Spain in late 2020. It primarily spread through European countries using a variety of SMS phishing…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Family The MITRE Corporation Confidence 100
[AndroidOS/MalLocker.B](https://attack.mitre.org/software/S0524) is a variant of a ransomware family targeting Android devices. It prevents the user from interacting with the UI by displaying a screen containing a ransom note…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Red Alert 2.0 usesFamily The MITRE Corporation Confidence 100
[Red Alert 2.0](https://attack.mitre.org/software/S0539) is a banking trojan that masquerades as a VPN client.(Citation: Sophos Red Alert 2.0)
First seen 01/01/1970 · Last seen 16/11/5138 · -
GolfSpy usesFamily The MITRE Corporation Confidence 100
[GolfSpy](https://attack.mitre.org/software/S0421) is Android spyware deployed by the group [Bouncing Golf](https://attack.mitre.org/groups/G0097).(Citation: Trend Micro Bouncing Golf 2019)
First seen 01/01/1970 · Last seen 16/11/5138 · -
Mandrake usesFamily The MITRE Corporation Confidence 100
[Mandrake](https://attack.mitre.org/software/S0485) is a sophisticated Android espionage platform that has been active in the wild since at least 2016. [Mandrake](https://attack.mitre.org/software/S0485) is very actively maintained, with sophisticated features and attacks…
First seen 01/01/1970 · Last seen 16/11/5138 ·
Reports (3)
-
7 MITREs 1 Malware 5 Observables
-
10 MITREs 1 Malware 1 APT
-
10 MITREs 1 Malware 4 Observables 1 APT
Vulnerabilities (CVE) (28)
TOTOLINK N600R V4.3.0cu.7570_B20200620 was discovered to contain a command injection vulnerability via the exportOvpn interface at cstecgi.cgi.
- Attack vector
- NETWORK
- Published
- 22/03/2022
- Modified
- 20/12/2025
- Published
- 20/12/2025
- Modified
- 20/12/2025
Realtek SDK contains an improper input validation vulnerability in the miniigd SOAP service that allows remote attackers to execute malicious code via …
- Attack vector
- NETWORK
- Complexity
- LOW
- Published
- 01/05/2015
- Modified
- 22/04/2026
Digital Watchdog DW MEGApix IP cameras A7.2.2_20211029 was discovered to contain a command injection vulnerability in the component /admin/vca/bia/addacph.cgi. This vulnerability is …
- Attack vector
- NETWORK
- Published
- 19/07/2022
- Modified
- 20/12/2025
Grandstream GAC2500 1.0.3.35, GXP2200 1.0.3.27, GVC3202 1.0.3.51, GXV3275 before 1.0.3.219 Beta, and GXV3240 before 1.0.3.219 Beta devices allow unauthenticated remote code execution …
- Attack vector
- NETWORK
- Published
- 30/03/2019
- Modified
- 20/12/2025
Tenda AC1900 Router AC15 Model contains an unspecified vulnerability that allows remote attackers to execute system commands via the deviceName POST parameter.
- Published
- 03/11/2021
- Modified
- 20/12/2025
- Published
- 20/12/2025
- Modified
- 20/12/2025
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Versions prior to 6.1.1.0 are subject to a remote …
- Attack vector
- NETWORK
- Published
- 08/07/2022
- Modified
- 20/12/2025
LinuxKI v6.0-1 and earlier is vulnerable to an remote code execution which is resolved in release 6.0-2.
- Attack vector
- NETWORK
- Published
- 13/02/2020
- Modified
- 20/12/2025
TOTOLink A3000RU V5.9c.2280_B20180512 was discovered to contain a command injection vulnerability in the "Main" function. This vulnerability allows attackers to execute arbitrary …
- Attack vector
- NETWORK
- Published
- 24/02/2022
- Modified
- 20/12/2025
Realtek AP-Router SDK HTTP web server boa contains a buffer overflow vulnerability due to unsafe copies of some overly long parameters submitted …
- Published
- 03/11/2021
- Modified
- 20/12/2025
Credentials for Zivif PR115-204-P-RS V2.3.4.2103 Webcams can be obtained by an unauthenticated remote attacker using a standard web /cgi-bin/hi3510/param.cgi?cmd=getuser HTTP request. This …
- Published
- 19/12/2017
- Modified
- 13/05/2026
Attack patterns (MITRE) (2)
-
Steganography subtechnique-of
-
Software Packing subtechnique-of
Tool (1)
-
FlexiSpy usesThe MITRE Corporation Confidence 100
[FlexiSpy](https://attack.mitre.org/software/S0408) is sophisticated surveillanceware for iOS and Android. Publicly-available, comprehensive analysis has only been found for the Android version.(Citation: FortiGuard-FlexiSpy)(Citation: CyberMerchants-FlexiSpy) [FlexiSpy](https://attack.mitre.org/software/S0408) markets itself as a parental control…
Campaign (1)
-
C0033 uses