Description
Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications.
Platforms
Mitigations (2)
Network Intrusion PreventionM1031
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families
Data Loss PreventionM1057
Data loss prevention can detect and block sensitive data being sent over unencrypted protocols.
Threat Groups (27)
| ID | Group | Context |
|---|---|---|
| G1015 | Scattered Spider | [Scattered Spider](https://attack.mitre.org/groups/G1015) has exfiltrated data from compromised VMware vCenter servers through an established C2 chann... |
| G1014 | LuminousMoth | [LuminousMoth](https://attack.mitre.org/groups/G1014) has used malware that exfiltrates stolen data to its C2 server.(Citation: Kaspersky LuminousMoth... |
| G0034 | Sandworm Team | [Sandworm Team](https://attack.mitre.org/groups/G0034) has sent system information to its C2 server using HTTP.(Citation: ESET Telebots Dec 2016) |
| G0114 | Chimera | [Chimera](https://attack.mitre.org/groups/G0114) has used [Cobalt Strike](https://attack.mitre.org/software/S0154) C2 beacons for data exfiltration.(C... |
| G0093 | GALLIUM | [GALLIUM](https://attack.mitre.org/groups/G0093) used Web shells and [HTRAN](https://attack.mitre.org/software/S0040) for C2 and to exfiltrate data.(C... |
| G0126 | Higaisa | [Higaisa](https://attack.mitre.org/groups/G0126) exfiltrated data over its C2 channel.(Citation: Zscaler Higaisa 2020) |
| G0004 | Ke3chang | [Ke3chang](https://attack.mitre.org/groups/G0004) transferred compressed and encrypted RAR files containing exfiltration through the established backd... |
| G0087 | APT39 | [APT39](https://attack.mitre.org/groups/G0087) has exfiltrated stolen victim data through C2 communications.(Citation: FBI FLASH APT39 September 2020) |
| G0032 | Lazarus Group | [Lazarus Group](https://attack.mitre.org/groups/G0032) has exfiltrated data and files over a C2 channel through its various tools and malware.(Citatio... |
| G0129 | Mustang Panda | [Mustang Panda](https://attack.mitre.org/groups/G0129) has exfiltrated stolen data and files to its C2 server.(Citation: Cisco Talos MUSTANG PANDA PLU... |
| G0022 | APT3 | [APT3](https://attack.mitre.org/groups/G0022) has a tool that exfiltrates data over the C2 channel.(Citation: FireEye Clandestine Fox) |
| G0050 | APT32 | [APT32](https://attack.mitre.org/groups/G0050)'s backdoor has exfiltrated data using the already opened channel with its C&C server.(Citation: ESET Oc... |
| G1052 | Contagious Interview | [Contagious Interview](https://attack.mitre.org/groups/G1052) has exfiltrated data from a compromised host to actor-controlled C2 servers.(Citation: S... |
| G0090 | WIRTE | [WIRTE](https://attack.mitre.org/groups/G0090) has exfiltrated collected victim data to C2 infrastructure.(Citation: Palo Alto Ashen Lepus DEC 2025) |
| G0094 | Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has exfiltrated data over its C2 channel.(Citation: Securelist Kimsuky Sept 2013)(Citation: Talos Kim... |
| G0128 | ZIRCONIUM | [ZIRCONIUM](https://attack.mitre.org/groups/G0128) has exfiltrated files via the Dropbox API C2.(Citation: Zscaler APT31 Covid-19 October 2020) |
| G1043 | BlackByte | [BlackByte](https://attack.mitre.org/groups/G1043) transmitted collected victim host information via HTTP POST to command and control infrastructure.(... |
| G0142 | Confucius | [Confucius](https://attack.mitre.org/groups/G0142) has exfiltrated stolen files to its C2 server.(Citation: TrendMicro Confucius APT Aug 2021) |
| G1035 | Winter Vivern | [Winter Vivern](https://attack.mitre.org/groups/G1035) delivered a PowerShell script capable of recursively scanning victim machines looking for vario... |
| G0102 | Wizard Spider | [Wizard Spider](https://attack.mitre.org/groups/G0102) has exfiltrated domain credentials and network enumeration information over command and control... |
Associated Software (164)
| ID | Name | Type | Context |
|---|---|---|---|
| S1172 | OilBooster | Malware | [OilBooster](https://attack.mitre.org/software/S1172) can use an actor-controlled OneDrive account for C2 communication and exfiltration.(Citation: ES... |
| S0459 | MechaFlounder | Malware | [MechaFlounder](https://attack.mitre.org/software/S0459) has the ability to send the compromised user's account name and hostname within a URL to C2.(... |
| S9035 | LAMEHUG | Malware | [LAMEHUG](https://attack.mitre.org/software/S9035) can exfiltrate collected system information and documents to C2.(Citation: Splunk LAMEHUG SEP 2025)... |
| S0428 | PoetRAT | Malware | [PoetRAT](https://attack.mitre.org/software/S0428) has exfiltrated data over the C2 channel.(Citation: Talos PoetRAT October 2020) |
| S0445 | ShimRatReporter | Tool | [ShimRatReporter](https://attack.mitre.org/software/S0445) sent generated reports to the C2 via HTTP POST requests.(Citation: FOX-IT May 2016 Mofang) |
| S1019 | Shark | Malware | [Shark](https://attack.mitre.org/software/S1019) has the ability to upload files from the compromised host over a DNS or HTTP C2 channel.(Citation: Cl... |
| S1210 | Sagerunex | Malware | [Sagerunex](https://attack.mitre.org/software/S1210) encrypts collected system data then exfiltrates via existing command and control channels.(Citati... |
| S0533 | SLOTHFULMEDIA | Malware | [SLOTHFULMEDIA](https://attack.mitre.org/software/S0533) has sent system information to a C2 server via HTTP and HTTPS POST requests.(Citation: CISA M... |
| S1183 | StrelaStealer | Malware | [StrelaStealer](https://attack.mitre.org/software/S1183) exfiltrates collected email credentials via HTTP POST to command and control servers.(Citatio... |
| S1017 | OutSteel | Malware | [OutSteel](https://attack.mitre.org/software/S1017) can upload files from a compromised host over its C2 channel.(Citation: Palo Alto Unit 42 OutSteel... |
| S1246 | BeaverTail | Malware | [BeaverTail](https://attack.mitre.org/software/S1246) has exfiltrated data collected from victim devices to C2 servers.(Citation: Socket BeaverTail XO... |
| S0234 | Bandook | Malware | [Bandook](https://attack.mitre.org/software/S0234) can upload files from a victim's machine over the C2 channel.(Citation: CheckPoint Bandook Nov 2020... |
| S9015 | BRICKSTORM | Malware | [BRICKSTORM](https://attack.mitre.org/software/S9015) has uploaded files from the victim system to C2 servers.(Citation: CrowdStrike BRICKSTORM WARP P... |
| S0431 | HotCroissant | Malware | [HotCroissant](https://attack.mitre.org/software/S0431) has the ability to download files from the infected host to the command and control (C2) serve... |
| S1021 | DnsSystem | Malware | [DnsSystem](https://attack.mitre.org/software/S1021) can exfiltrate collected data to its C2 server.(Citation: Zscaler Lyceum DnsSystem June 2022) |
| S0409 | Machete | Malware | [Machete](https://attack.mitre.org/software/S0409)'s collected data is exfiltrated over the same channel used for C2.(Citation: ESET Machete July 2019... |
| S1039 | Bumblebee | Malware | [Bumblebee](https://attack.mitre.org/software/S1039) can send collected data in JSON format to C2.(Citation: Google EXOTIC LILY March 2022) |
| S0584 | AppleJeus | Malware | [AppleJeus](https://attack.mitre.org/software/S0584) has exfiltrated collected host information to a C2 server.(Citation: CISA AppleJeus Feb 2021) |
| S1090 | NightClub | Malware | [NightClub](https://attack.mitre.org/software/S1090) can use SMTP and DNS for file exfiltration and C2.(Citation: MoustachedBouncer ESET August 2023) |
| S1188 | Line Runner | Malware | [Line Runner](https://attack.mitre.org/software/S1188) utilizes HTTP to retrieve and exfiltrate information staged using [Line Dancer](https://attack.... |
References
Frequently Asked Questions
What is T1041 (Exfiltration Over C2 Channel)?
T1041 is a MITRE ATT&CK technique named 'Exfiltration Over C2 Channel'. It belongs to the Exfiltration tactic(s). Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control...
How can T1041 be detected?
Detection of T1041 (Exfiltration Over C2 Channel) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1041?
There are 2 documented mitigations for T1041. Key mitigations include: Network Intrusion Prevention, Data Loss Prevention.
Which threat groups use T1041?
Known threat groups using T1041 include: Scattered Spider, LuminousMoth, Sandworm Team, Chimera, GALLIUM, Higaisa, Ke3chang, APT39.