analyst @ nohacky :~/briefings $
cat / mitre / T1041-Exfiltration-Over-C2-Channel.html
analyst@nohacky:~/mitre/T1041-Exfiltration-Over-C2-Channel.html
reading mode 13 min read
category MITRE ATT&CK
tactic Exfiltration
technique T1041
published March 2025
read_time 13 min

T1041 Exfiltration Over C2 Channel: Threat Actors and Campaigns Mapped

MITRE ATT&CK T1041 describes a technique as elegant in its simplicity as it is difficult to detect: stealing data over the same channel already established for command and control. This article maps the technique against confirmed real-world actors, malware families, and campaigns that have used it — from long-running nation-state espionage operations to commodity crimeware active in 2024 and 2025.

When an adversary deploys an implant on a compromised host, they establish a channel for sending commands and receiving results. T1041 exploits the fact that this channel is already present, already trusted by the network (or at least tolerated), and already generating traffic that analysts and tooling may have started tuning out as background noise. Rather than open a second, distinct connection to move stolen data — which creates a new, detectable network event — the adversary encodes the exfiltrated material directly into the existing C2 traffic stream.

From the network's perspective, the exfiltration looks like routine C2 beacon activity. The protocol is the same. The destination is the same. The only signal that meaningfully changes is data volume — and even that can be managed through staged transmission, throttling, and fragmentation. T1041 sits under the Exfiltration tactic (TA0010) in the MITRE ATT&CK Enterprise matrix and is documented without sub-techniques. Its breadth comes from the sheer number of implant families and threat actors that use it across every category of adversary.

How the Technique Operates

The mechanics vary by implant design, but the core pattern is consistent. After staging collected data — files, credentials, keylogger output, configuration data, screenshots — the implant serializes and encodes that data, then transmits it outbound during what appears to be a routine check-in or response packet. Recipients on the attacker-controlled infrastructure parse the exfiltrated content from the C2 traffic and store it.

Common implementation patterns include:

  • Chunked exfiltration over HTTPS: Stolen data is split into fixed-size blocks and transmitted as part of POST request bodies or response content to a C2 server presenting a legitimate-looking HTTPS endpoint. The SSL/TLS encryption that protects the command channel equally protects the exfiltrated payload from inspection.
  • DNS-based C2 with embedded data: Some implants use DNS queries as their C2 transport, encoding both commands and exfiltrated data into subdomain labels of queries to attacker-controlled nameservers. The technique blends with legitimate DNS traffic and frequently bypasses network controls that restrict web access but allow DNS egress.
  • Protocol-native encoding: Implants designed to blend into specific enterprise environments may use email protocols (SMTP, IMAP), messaging APIs, or cloud storage services as their C2 transport, embedding exfiltrated data into the content of messages or documents passed through those services.
  • Fragmentation and rate-limiting: To avoid triggering volume-based anomaly detection, implants often throttle exfiltration to small, infrequent transfers that stay within expected traffic baselines for the compromised host.
note

T1041 often operates alongside T1020 (Automated Exfiltration) and T1560 (Archive Collected Data). The collection and packaging usually happens first; T1041 is the mechanism for moving the prepared data out. Defenders who only look for large single-transfer events may miss staged, low-volume C2-channel exfiltration entirely.

Nation-State and Advanced Espionage Actors

Russia-Linked Actors

APT28 (Fancy Bear / Sednit / Forest Blizzard) — ESET's analysis of the Sednit toolset documents ADVSTORESHELL (also tracked as EVILTOSS) exfiltrating collected data over the same channel used for C2 communications. APT28 also used T1041 in a 2026 campaign exploiting an MSHTML vulnerability to exfiltrate sensitive data via encrypted channels from targeted Windows systems, per SecPod research.

Turla (Snake / Venomous Bear / Secret Blizzard) — one of the most sophisticated documented uses of T1041 appears in Turla's LightNeuron implant. Documented by ESET in 2019, LightNeuron operates as a malicious mail transfer agent plugin for Microsoft Exchange servers. It hijacks the Exchange transport agent pipeline to intercept, modify, and create emails — using the organization's own email flow as its C2 channel. Exfiltrated data is steganographically encoded into attached PDFs and JPEGs, transmitted through the victim's own outbound email infrastructure. The Turla Crutch backdoor, documented in 2020, uses Dropbox as a C2 channel, uploading stolen documents into attacker-controlled Dropbox folders over the same authenticated session used to receive commands. Penquin_x64, Turla's Linux implant, similarly uses its established C2 channel for data exfiltration from compromised Linux servers.

Gamaredon / Shuckworm (Aqua Blizzard / Primitive Bear) — the FSB-linked group targeting Ukrainian government, military, and NGO organizations has consistently used T1041 across its toolset evolution documented between 2017 and 2025. ESET's September 2024 analysis of Gamaredon's 2022–2023 toolset confirms exfiltration over established C2 channels. In a campaign observed in February 2025 by Symantec's Threat Hunter Team, Shuckworm targeted the military mission of an unnamed Western country in Ukraine using an updated PowerShell-based version of the GammaSteel infostealer that transmitted collected data through C2 infrastructure partially routed via Cloudflare tunnels — the same infrastructure used for command delivery.

DPRK-Linked Actors

Lazarus Group — North Korea's primary offensive cyber unit has used T1041 across multiple documented campaigns spanning financial institutions, cryptocurrency platforms, and defense contractors. The Operation Blockbuster investigation into the Sony Pictures attack confirmed C2-channel exfiltration as part of Lazarus's operational pattern. More recent campaigns targeting cryptocurrency exchanges and DevOps employees — documented by Unit 42 in 2024 — use implants that exfiltrate harvested credentials and session tokens over established C2 sessions. The BLINDINGCAN RAT, analyzed by CISA and US-CERT in 2020, exfiltrates system information and files over its C2 channel to DPRK-controlled infrastructure. The Contagious Interview campaign's InvisibleFerret component, documented through 2024 and 2025, sends harvested browser data, credentials, and cryptocurrency wallet information back through its C2 channel.

Kimsuky — the DPRK espionage group targeting South Korean government and defense organizations uses the AppleSeed backdoor, which exfiltrates keylogger output and captured documents via its C2 channel. Kimsuky's KGH spyware suite, documented by Cybereason, combines multiple collection modules whose output is consolidated and sent over the established C2 session. The group also distributed Troll Stealer in early 2024, a Go-based stealer signed with a valid certificate that exfiltrated GPKI folders, SSH data, browser credentials, and FileZilla configuration over its C2 channel.

SideCopy APT — documented targeting Pakistani and Indian military and government organizations, SideCopy uses implants that collect and exfiltrate data over their HTTP/HTTPS C2 channels, with the exfiltration blended into what appears to be routine update check traffic.

China-Linked Actors

APT40 (BRONZE MOHAWK / Leviathan / Kryptonite Panda) — a July 2024 joint advisory from CISA, FBI, and partner agencies detailing APT40 tradecraft confirmed the group's use of established C2 channels for exfiltrating data collected from government and critical infrastructure targets. The advisory documents APT40 using web shells and custom implants to collect and transmit data back to PRC-controlled infrastructure over the same sessions used for command execution.

APT32 (OceanLotus / Canvas Cyclone) — the Vietnamese-linked espionage group uses backdoors that exfiltrate collected documents and credential data over their established C2 sessions, documented across multiple campaigns targeting Southeast Asian governments and foreign corporations.

APT30 — one of the longest-running documented espionage campaigns. FireEye's 2015 analysis of APT30's decade-long operation against Southeast Asian government and defense targets documented C2-channel exfiltration as a core component of the group's toolset, including specialized plugins for handling exfiltration from air-gapped networks through the C2 infrastructure.

Lotus Blossom (Spring Dragon) — a Cisco Talos February 2025 report documented this China-linked group targeting multiple industries with Sagerunex implants and additional hacking tools that use established C2 channels to exfiltrate collected intelligence from government and critical infrastructure targets across Southeast Asia.

LuminousMoth — Kaspersky's July 2021 analysis of this Chinese-nexus group documented sweeping espionage operations against government targets in Southeast Asia where collected data was exfiltrated over the group's established C2 channels, with the technique used to move USB-harvested files from air-gap-proximate environments.

GALLIUM — Unit 42's June 2022 documentation of the group's expanded targeting across telecommunications, government, and finance sectors confirmed the use of PingPull and additional implants that exfiltrate collected data over established C2 channels.

LightSpy (BrazenBamboo / APT41 nexus) — a modular surveillance framework analyzed in 2024 that targets macOS and mobile devices, LightSpy exfiltrates a broad collection of data — Telegram and WeChat content, browser history, keychain data, screenshots, audio recordings — through its C2 channel using certificate pinning to resist interception. A 2024 analysis documented a renewed campaign targeting organizations in Southern Asia.

Iran-Linked Actors

APT39 (Chafer) — the Iranian group conducting systematic personal data collection operations against telecommunications and travel industries has used C2-channel exfiltration to move harvested subscriber and customer data to Iran-controlled infrastructure, as documented in multiple vendor analyses including Cybereason's Operation Soft Cell investigation.

OilRig (APT34 / Crambus / Helix Kitten) — OilRig has repeatedly used novel C2 mechanisms paired with T1041 for exfiltration. Palo Alto Networks documented OilRig targeting a Middle Eastern telecommunications organization using a C2 channel incorporating steganography to blend exfiltrated data into DNS traffic. OilRig's Outer Space and Juicy Mix campaigns in 2023, documented by ESET, further demonstrate the group's consistent use of established C2 sessions for data movement. The Lyceum subcluster's .NET DNS backdoor, documented by Secureworks in 2022, uses DNS as its combined C2 and exfiltration channel.

MuddyWater / MOIS — Iranian Ministry of Intelligence-linked operators have used implants whose collection outputs are transmitted over their C2 channels, including recent DCHSpy Android spyware documented in 2025 that harvests WhatsApp messages, contacts, SMS, call logs, and location data through its C2 session.

Moses Staff — the StrifeWater RAT used by this Iranian actor, documented by Cybereason in 2022, exfiltrates collected files and system data over its C2 channel during intrusions against Israeli organizations.

ArcaneDoor: C2 Exfiltration at the Network Perimeter (2024)

ArcaneDoor stands apart from most T1041 implementations because it operated entirely within network perimeter devices rather than on endpoint hosts. Cisco Talos documented this espionage campaign in April 2024, with the Canadian Centre for Cyber Security publishing a concurrent advisory. The attackers targeted Cisco Adaptive Security Appliance (ASA) VPN devices using two custom implants — Line Dancer and Line Runner.

Line Dancer operated as an in-memory shellcode loader on the ASA device itself, executing commands and capturing network configuration data, VPN credentials, and traffic. The exfiltration path was the implant's own C2 channel — communications established from within the network device, a location where traditional endpoint detection has no visibility. Because ASA devices handle all inbound and outbound VPN traffic, the implant had access to network configuration data and credential material that would be exceptionally valuable for follow-on operations against the organization's network and its connected partners.

This campaign illustrates why T1041 detection cannot rely solely on endpoint telemetry. When the C2 channel originates from a network device rather than a workstation or server, the exfiltration is invisible to EDR solutions and may only be detectable through out-of-band management plane monitoring and network device integrity verification.

critical

Network devices running implants like Line Dancer present a blind spot for endpoint-centric detection. Defenders need separate controls for network device integrity — including firmware verification, out-of-band management traffic monitoring, and restricted management plane access — to have any detection surface against this variant of T1041.

NOBELIUM and Supply Chain C2 Exfiltration

The NOBELIUM operation — attributed to Russia's SVR and responsible for the SolarWinds supply chain compromise — used T1041 through multiple implant stages, each transmitting collected intelligence through its respective C2 channel.

SUNBURST, the initial backdoor embedded in SolarWinds Orion updates, transmitted collected host enumeration data over its HTTPS C2 channel disguised as Orion API traffic. The implant encoded system information, network configuration, running process lists, and registry data into the body of what appeared to be routine Orion telemetry. TEARDROP and Raindrop, the second-stage payloads deployed against selected high-value targets, similarly transmitted collected data through their respective C2 channels. FoggyWeb, a targeted backdoor deployed against ADFS servers, exfiltrated SAML token signing certificates and federation metadata over its C2 channel — data enabling long-term persistent access to federated cloud environments. GoldMax and SUNSHUTTLE, additional backdoors deployed in the operation, both used their established C2 channels for exfiltrating collected intelligence from targeted US-based entities.

Ransomware and Crimeware Operators

T1041 is not confined to nation-state actors. Ransomware operators conducting double extortion — where data is stolen before encryption to increase leverage — frequently exfiltrate through the same C2 infrastructure used to deploy and manage their ransomware payloads.

  • BlackByte — Microsoft's July 2023 case study of a BlackByte ransomware intrusion documented data exfiltration occurring through the group's C2 channel prior to encryption, consistent with double-extortion methodology. The group used a five-day intrusion-to-deployment timeline with exfiltration staged across the dwell period.
  • REvil / Sodinokibi — documented by the Counter Threat Unit team as a ransomware-as-a-service operation that consistently used C2-channel exfiltration to collect evidence of data theft before deploying encryption, providing leverage for ransom negotiations.
  • Latrodectus — a loader and implant family tracked by Proofpoint and Team Cymru, documented in 2024, uses its C2 channel for exfiltration of system information and credentials harvested from infected hosts, functioning as an initial access broker tool that feeds collected data to downstream operators.
  • PIKABOT — analyzed by Elastic in early 2024, this modular loader exfiltrates system reconnaissance data over its C2 channel as part of its initial staging activity before deploying secondary payloads.
  • Lumma Stealer — widely distributed crimeware documented in 2024 campaigns using fake CAPTCHA pages and cracked software distribution. Lumma exfiltrates browser credentials, cryptocurrency wallet data, and stored authentication tokens over its HTTPS C2 channel, with Qualys and Fortinet both documenting active campaigns through late 2024 and into 2025.
  • Cuckoo — a macOS malware described by Malwarebytes in April 2024 as behaving like a cross between an infostealer and spyware, Cuckoo exfiltrates collected system data, credentials, and browser history over its C2 channel while also maintaining persistent access for ongoing collection.
  • DarkGate — documented as a multi-purpose tool offering cryptocurrency mining, ransomware, and RAT capabilities, DarkGate uses its C2 channel to exfiltrate collected credentials and file data while receiving operational commands from its operators.

Specialist and Protocol-Specific C2 Exfiltration

Some of the more technically distinctive documented uses of T1041 involve implants that exploit specific protocols or services as their combined C2 and exfiltration channel, making detection substantially harder:

  • Attor — a Turla-attributed espionage platform documented by ESET in 2019 that uses AT commands over serial GSM connections as part of its C2 infrastructure, alongside Tor-based channels. Attor's collected intelligence — including audio recordings from attached microphones and document copies — is exfiltrated over its established Tor C2 channel, making network-level detection particularly challenging.
  • POLONIUM (Plaid Rain) — Microsoft documented this group in 2022 targeting Israeli organizations using OneDrive as a C2 and exfiltration channel, uploading collected files into attacker-controlled OneDrive folders through the same legitimate cloud sync mechanism used as the command channel.
  • Transparent Tribe (APT36) — documented by researchers including Cisco Talos as using implants that exfiltrate collected documents through C2 channels over HTTP, targeting the Indian education sector and government organizations. The group expanded this approach in 2022 campaigns documented by Secureworks.
  • Yellow Liderc / TICKLER — PwC documented this group delivering IMAPLoader malware in 2023 that uses IMAP email protocol as its C2 channel, receiving commands from a controlled email inbox and exfiltrating collected data by sending it to the same inbox as email attachments.
  • MoustachedBouncer — ESET documented this group in 2023 conducting espionage against foreign diplomats in Belarus, using implants that exfiltrate collected intelligence over web service C2 channels while the C2 infrastructure leverages ISP-level network interception to redirect targets.

Campaign Reference Map

The table below maps confirmed T1041 usage to attribution, targeting, and primary C2 protocol, drawn from documented threat intelligence sources as of March 2025.

Actor / Malware Attribution Primary C2/Exfil Protocol Targeting and Notes
ADVSTORESHELL APT28 / Russia HTTPS European government and defense targets; C2 channel carries collected file data and keylogger output
Turla LightNeuron Turla / Russia Email (Exchange transport) Exfiltrated data steganographically embedded in PDF/JPEG attachments sent through victim's own Exchange infrastructure
Turla Crutch Turla / Russia Dropbox API (HTTPS) European foreign ministries; stolen documents uploaded to attacker-controlled Dropbox over the same authenticated session used for C2
GammaSteel / Gamaredon Shuckworm / Russia (FSB) HTTP/HTTPS with Cloudflare tunnel Ukraine military and government targets; persistent collection and exfiltration operations 2022–2025
SUNBURST / FoggyWeb NOBELIUM / Russia (SVR) HTTPS (Orion-mimicking) SolarWinds supply chain; collected host enumeration, SAML signing certificates, federation metadata
Line Dancer (ArcaneDoor) Unattributed (nation-state) C2 from within ASA device Network perimeter devices; VPN configuration, credentials, traffic — no endpoint EDR visibility
AppleSeed / KGH Suite Kimsuky / DPRK HTTP/HTTPS South Korean government and defense; keylogger output, documents exfiltrated over C2 session
Troll Stealer Kimsuky / DPRK HTTPS GPKI data, SSH, browser credentials, FileZilla config; signed with valid certificate, 2024 campaign
BLINDINGCAN Lazarus / DPRK HTTPS Defense and government targets; system information and files exfiltrated over C2 to DPRK-controlled infrastructure
InvisibleFerret Lazarus / DPRK HTTPS Tech sector job seekers; browser data, credentials, crypto wallet data via Contagious Interview campaign 2024–2025
LightSpy BrazenBamboo / China (APT41 nexus) HTTPS (certificate-pinned) macOS and mobile targets; Telegram/WeChat data, keychain, audio, browser history — 2024 renewed campaign targeting South Asia
PingPull / GALLIUM GALLIUM / China HTTPS / ICMP / DNS Telecom, government, and finance sectors globally; multi-protocol C2 with exfiltration over established sessions
Sagerunex (Lotus Blossom) Lotus Blossom / China HTTPS Southeast Asia government and critical infrastructure; multiple industries targeted, documented February 2025
OilRig DNS steganography OilRig / Iran (APT34) DNS (steganographic) Middle East telecom; exfiltrated data embedded in DNS query structure over same channel used for C2 commands
IMAPLoader Yellow Liderc / Iran IMAP email Receives commands from and exfiltrates to attacker-controlled email inbox via IMAP protocol
Attor Turla / Russia Tor + AT/GSM Eastern European and Central Asian targets; audio recordings and documents exfiltrated over Tor C2 channel
Lumma Stealer Crimeware (RaaS) HTTPS Widespread; browser credentials, crypto wallets exfiltrated over HTTPS C2; high-volume campaigns through 2024–2025
Latrodectus Crimeware (IAB) HTTPS Credential and system data exfiltrated over C2; used as IAB tool feeding downstream ransomware operations, 2024

Detection and Response

T1041 is challenging to detect precisely because it exploits channels that security controls have already evaluated and permitted. The traffic looks like the C2 traffic the defender has already decided to treat as background noise — or has failed to block because it uses legitimate protocols and services. Effective detection requires shifting focus from the initial C2 connection to the behavioral characteristics of what that connection is carrying over time.

  1. Baseline and anomaly-detect egress volume per host: A host that normally transfers 200KB per day outbound through a known application's API endpoint that suddenly transfers 50MB over two hours is a behavioral anomaly regardless of whether the destination is classified as malicious. Beacon-like traffic with occasional large response payloads is a pattern worth alerting on even when the individual connection looks clean.
  2. TLS inspection at egress: Encrypted C2 channels hide exfiltrated content from passive inspection. Without TLS inspection (SSL termination at a forward proxy), defenders are limited to metadata — volume, timing, destination — rather than content. For environments where inspection is feasible, it adds substantial detection coverage for T1041 over HTTPS.
  3. DNS query volume and entropy analysis: DNS-based C2 with embedded exfiltration produces characteristic patterns — high query volumes, unusually long subdomain labels, high entropy in subdomain strings, and consistent periodic queries to domains with low or no historical lookup frequency. Monitoring for these patterns through DNS logging is one of the few controls that covers DNS-channel T1041.
  4. Network device integrity monitoring: ArcaneDoor demonstrated that C2 implants on network devices are invisible to endpoint-centric telemetry. Defenders need separate controls: configuration baseline verification on network appliances, restricted management plane access, out-of-band monitoring of device management traffic, and vendor-provided integrity attestation tools.
  5. Cloud service exfiltration monitoring: Turla Crutch and similar implants abuse legitimate cloud services (Dropbox, OneDrive) as C2 and exfiltration channels. CASB (Cloud Access Security Broker) policies that enforce approved account usage for cloud storage can detect anomalous uploads to unrecognized account identifiers even when the traffic traverses legitimate cloud service infrastructure.
  6. Email flow anomaly detection: LightNeuron and IMAPLoader use email protocols as their combined C2 and exfiltration transport. Mail flow analysis looking for unusual attachment volumes, uncommon recipient patterns, or anomalous email sending from hosts that do not normally generate outbound email can surface these implants.
warning

MITRE maps M1031 (Network Intrusion Prevention) and M1057 (Data Loss Prevention) as the primary mitigations for T1041. Both require TLS inspection to be effective against encrypted C2 channels. Organizations that do not perform TLS inspection at egress will have limited DLP and IPS coverage against T1041 in practice — regardless of how mature those controls appear on paper.

Key Takeaways

  1. T1041 has no sub-techniques but near-universal adoption: The technique's breadth comes from the fact that any implant that maintains a C2 channel can use that channel for exfiltration. It appears across every category of threat actor — nation-state, ransomware operator, crimeware, and espionage-focused groups — making it one of the highest-frequency techniques in the ATT&CK corpus.
  2. Protocol choice determines detection surface: HTTPS-based C2 exfiltration requires TLS inspection to detect content. DNS-based exfiltration requires DNS query analysis. Email-protocol exfiltration requires mail flow monitoring. There is no single detection control that covers all implementations — defenders need to understand which protocols each implant family uses.
  3. ArcaneDoor expanded the scope to network devices: The 2024 campaign targeting Cisco ASA devices demonstrates that T1041 is not confined to endpoint implants. Network perimeter devices that run C2 implants represent a detection blind spot that endpoint-centric security programs do not address.
  4. Volume and timing patterns are the primary detectable signals: When content is encrypted and the destination is permitted, behavioral anomaly detection on volume, timing, and frequency is often the only available detection signal. Baselining expected egress per host and alerting on deviations is foundational to T1041 detection.
  5. 2024 and 2025 activity confirms ongoing active use: ArcaneDoor, GammaSteel, Troll Stealer, InvisibleFerret, Lumma Stealer, and multiple additional families documented in this period confirm T1041 remains a primary technique for both nation-state and crimeware operators against current targets.

T1041 is popular because it is operationally efficient: one established channel, one detection surface to manage, and the cover of traffic that defenders have already decided is present on their network. The threat actors who rely on it range from the most capable state-sponsored operators in the world to commodity malware operators running at scale. The MITRE ATT&CK page at attack.mitre.org/techniques/T1041/ continues to be updated as new procedure examples are reported.

— end of briefing