T1041: Exfiltration Over C2 Channel

T1041 falls under the Exfiltration tactic (TA0010). Unlike T1567 (Exfiltration Over Web Service), which routes stolen data through legitimate third-party services like Mega or Google Drive, T1041 sends data directly to attacker-controlled infrastructure using the same protocol and connection that the implant already uses for C2 communications. This means the exfiltration traffic is architecturally indistinguishable from the C2 traffic itself — if the C2 channel has evaded detection, the exfiltration will too.

The technique has no sub-techniques because the implementation is defined by the C2 protocol being used rather than by the exfiltration method itself. A RAT that uses HTTPS for C2 will exfiltrate over HTTPS. A DNS tunneling implant will exfiltrate over DNS. A malware family using a custom binary protocol over TCP will embed stolen data in that same protocol. The exfiltration method is inherited from the C2 channel, not chosen independently.

How C2 Channel Exfiltration Works

C2 channel exfiltration follows a consistent pattern regardless of the underlying protocol: the malware collects data from the compromised system, encodes or encrypts it, and includes it in the next outbound C2 communication. The specific mechanisms vary by protocol type.

HTTPS-Based Exfiltration

The dominant C2 and exfiltration protocol in modern malware. Adversaries embed stolen data in HTTPS POST requests, query parameters, HTTP headers, or cookie values directed at their C2 infrastructure. Because HTTPS traffic is encrypted end-to-end, network security devices cannot inspect the payload content without TLS interception. Cobalt Strike's Beacon implant, the most widely observed post-exploitation framework in real-world incidents, exfiltrates data by including files and command output in its periodic HTTPS callbacks. The traffic appears as normal HTTPS requests to what may look like a legitimate website, CDN endpoint, or cloud service — Cobalt Strike supports malleable C2 profiles that shape traffic to mimic specific applications.

The SUNBURST backdoor represents the gold standard of HTTPS-based C2 exfiltration. It embedded reconnaissance data in HTTP traffic that mimicked the SolarWinds Orion Improvement Program (OIP) protocol, making the exfiltration indistinguishable from legitimate software telemetry. Stolen data was encoded and included in what appeared to be normal configuration update requests, allowing the backdoor to operate undetected for approximately 14 months.

DNS-Based Exfiltration

DNS tunneling encodes stolen data in DNS queries — typically as subdomains of an attacker-controlled domain. A DNS query to aGVsbG8gd29ybGQ.exfil.attacker.com carries base64-encoded data in the subdomain, which the attacker's authoritative DNS server decodes when it receives the query. DNS exfiltration is slow (limited by DNS query size constraints) but extremely difficult to detect because DNS traffic is ubiquitous, rarely inspected, and often allowed even in heavily restricted network environments. The SUNBURST backdoor used DNS queries to attacker-controlled domains for initial C2 communication before switching to HTTP for larger data transfers. OilRig (APT34) has used novel DNS-based C2 and exfiltration channels, including steganographic encoding of data within DNS responses.

Custom Protocol Exfiltration

Advanced threat actors and specialized malware families use custom binary protocols over TCP or UDP for both C2 and exfiltration. These protocols are designed to evade signature-based detection because they do not match any known protocol format. The Attor espionage platform, attributed to a Russian-speaking group, used Tor-based communications with custom encrypted protocols for both command delivery and data exfiltration. ArcaneDoor, the espionage campaign targeting Cisco ASA VPN devices discovered in 2024, used custom C2 channels embedded in the network device's management protocols to exfiltrate data from compromised perimeter devices. The ADVSTORESHELL backdoor, attributed to APT28 (Sofacy), exfiltrates data over the same custom channel used for C2 communications.

Application Layer Protocol Abuse

Adversaries increasingly route C2 and exfiltration through legitimate application layer protocols and services. The Picus Red Report 2025 identified T1071 (Application Layer Protocol) as a top-ten technique, with adversaries embedding C2 and exfiltration traffic in protocols like HTTPS, DNS, SMTP, and even cloud API calls. The SesameOp backdoor, highlighted in the Red Report 2026, routed all traffic through OpenAI's Assistants API, making C2 and exfiltration traffic appear as legitimate AI development activity. Storm-0501 queried cloud secrets stores via API to harvest credentials, using the cloud provider's own APIs as both a C2 and exfiltration channel.

Data Encoding and Chunking

Before exfiltration, stolen data is typically encoded (Base64 is the most common), encrypted (AES, XOR, or custom ciphers), and fragmented into chunks that match the size constraints of the C2 protocol. HTTP-based exfiltration may limit individual uploads to match typical web request sizes. DNS tunneling splits data into chunks of roughly 63 characters (the DNS label length limit) across sequential queries. QakBot (QBot) encodes collected data and embeds it in its regular C2 callbacks, using the same encryption and communication protocol for both command responses and exfiltrated data. The Flagpro malware, attributed to BlackTech, encodes gathered information with Base64 and sends it as HTTP requests to its C2 server.

Why C2 Channel Exfiltration Matters

Detection is tied to C2 detection. If an organization cannot detect the C2 channel, it cannot detect the exfiltration. This creates a single point of failure: the same evasion techniques that hide the C2 connection (domain fronting, malleable profiles, legitimate service abuse, DNS tunneling, encrypted channels) also hide the data theft. The Picus Blue Report 2025 found that while 54% of attacker activity is logged, only 14% generates an alert, meaning that C2 traffic — and the exfiltration it carries — frequently operates below detection thresholds.

No additional indicators. Unlike T1567 (which involves connections to cloud storage services, Rclone binaries, or Mega traffic), T1041 generates no new indicators beyond what the C2 channel itself produces. There is no new process to detect, no new network connection to flag, no new tool to identify. The exfiltration is invisible unless the C2 traffic is visible.

Universal adoption. Every remote access trojan, every infostealer, every post-exploitation framework that collects data from compromised systems exfiltrates that data over its C2 channel by default. This is not a technique that adversaries choose — it is the inherent behavior of their tooling. Detecting T1041 is therefore equivalent to detecting the malware or implant itself.

Throttling defeats volumetric detection. Sophisticated adversaries throttle their exfiltration to match normal traffic patterns. Rather than transferring a 10GB database in one burst, they may exfiltrate 100KB per beacon interval over weeks. This low-and-slow approach defeats volumetric anomaly detection and makes the exfiltration invisible at the network level. The Picus Red Report 2026's finding that adversaries have shifted to "parasitic silent residency" directly applies to T1041 — long-lived implants that exfiltrate data gradually over extended periods.

Real-World Case Studies

SUNBURST / APT29 — Exfiltration Disguised as SolarWinds Telemetry

The SUNBURST backdoor, deployed through the compromised SolarWinds Orion update mechanism, represents the most sophisticated documented use of T1041. The backdoor's C2 and exfiltration traffic was designed to be indistinguishable from legitimate SolarWinds OIP (Orion Improvement Program) telemetry. Reconnaissance data was encoded and included in HTTP responses that followed the exact format and timing of normal Orion communications. Subsequent-stage payloads including TEARDROP and GoldMax (SUNSHUTTLE) continued this pattern, exfiltrating data over HTTPS to infrastructure that was carefully configured to mimic legitimate cloud services. The exfiltration operated undetected for approximately 14 months, demonstrating that T1041 can sustain long-term data theft when the C2 channel is sufficiently well-disguised.

ArcaneDoor — Exfiltration from Network Perimeter Devices (2024)

In April 2024, Cisco Talos and the Canadian Centre for Cyber Security disclosed ArcaneDoor, an espionage campaign targeting Cisco ASA VPN appliances. The threat actors implanted backdoors directly on perimeter network devices — a position that gave them access to network traffic, VPN credentials, and configuration data. Exfiltration was performed over the C2 channel that the implants established from the compromised ASA devices. Because the ASA sits at the network perimeter, the C2 and exfiltration traffic appeared to originate from the firewall itself, making it nearly impossible to distinguish from legitimate device management traffic. This case demonstrates T1041 at the infrastructure level, where the compromised device's trusted network position provides inherent cover for exfiltration.

Infostealers — Raccoon, Redline, and the Credential Theft Pipeline

The modern infostealer ecosystem runs on T1041. Raccoon Stealer v2, Redline Stealer, Amadey, Azorult, and hundreds of similar malware families collect browser credentials, cryptocurrency wallets, session cookies, and system information, then exfiltrate the collected data directly over their C2 channels. Raccoon Stealer v2 communicates with its C2 over HTTPS, sending base64-encoded stolen data in POST requests. Redline uses a similar pattern, encoding harvested data and transmitting it via its existing C2 protocol. The Picus Red Report 2025 documented a threefold increase in credential theft, driven primarily by infostealers that use T1041 as their exfiltration mechanism. These infostealers operate at massive scale — millions of compromised credentials appear in underground markets weekly, all harvested and exfiltrated via C2 channels.

Gamaredon / Shuckworm — Persistent Exfiltration from Ukrainian Targets (2022-2025)

Russia's Gamaredon Group (Shuckworm) has conducted relentless espionage operations against Ukrainian government and military organizations, exfiltrating stolen documents and intelligence data over C2 channels. ESET's 2024 analysis of Gamaredon's toolset documented how the group's malware collects files matching intelligence-relevant extensions and transmits them to C2 infrastructure via the same channels used for command delivery. In April 2025, Symantec reported Gamaredon targeting a foreign military mission based in Ukraine, using updated tooling that continued the pattern of C2-channel exfiltration. The group's persistence and volume — continuously cycling through C2 infrastructure while maintaining exfiltration operations — illustrates how T1041 supports sustained intelligence collection campaigns.

Cobalt Strike — The Ubiquitous C2 and Exfiltration Framework

Cobalt Strike's Beacon implant is the single most commonly encountered post-exploitation tool in real-world incidents, used by both legitimate red teams and criminal operators (including Ryuk, Conti, and BlackByte ransomware affiliates). Beacon exfiltrates data by including it in its periodic HTTPS or DNS callbacks to the team server. When an operator downloads a file from a compromised host, the file is transmitted as part of Beacon's next C2 communication. Cobalt Strike's malleable C2 profiles allow operators to shape their traffic to mimic specific applications — making the combined C2 and exfiltration traffic appear as legitimate web browsing, cloud service usage, or API calls. The framework's prevalence means that a significant portion of all T1041 activity in the wild is attributable to Cobalt Strike or its derivatives (Sliver, Brute Ratel, Havoc).

Contagious Interview / InvisibleFerret — Cross-Platform C2 Exfiltration

North Korean actors operating the Contagious Interview campaign deploy InvisibleFerret, a cross-platform backdoor that operates on Windows, macOS, and Linux. InvisibleFerret collects files, browser data, and credentials from compromised developer workstations, then exfiltrates the collected data through its C2 channel using dedicated upload commands. The malware's ssh_upload functionality transmits discovered files over the same encrypted connection used for command delivery, demonstrating T1041 across all three major operating system platforms.

Detection Strategies

Detecting T1041 is fundamentally about detecting the C2 channel that carries the exfiltration. If the C2 connection is identified and blocked, the exfiltration stops automatically. Detection strategies therefore focus on identifying anomalous network traffic patterns, suspicious beaconing behavior, and indicators of C2 communication.

Key Monitoring Points

Data Source	What to Monitor	Detection Logic
Network Traffic (Flow/NetFlow)	Beaconing patterns	Analyze outbound connection timing for regular intervals (jittered or fixed-cadence callbacks). Cobalt Strike's default sleep is 60 seconds with jitter — statistical analysis of connection intervals to the same destination reveals beaconing even with jitter applied
Network Traffic (Volumetric)	Asymmetric data transfer ratios	Flag connections where the host sends significantly more data than it receives from a given destination over time. C2 exfiltration typically produces an upload-heavy traffic pattern to the C2 server
DNS Traffic	DNS tunneling indicators	Monitor for long subdomain labels (high entropy), high volumes of TXT or NULL record queries to a single domain, and queries with base64 or hex-encoded subdomains — all indicators of DNS-based exfiltration
TLS/SSL Metadata	JA3/JA4 fingerprints and certificate anomalies	Compare TLS client fingerprints against known-good profiles. Malware often generates unique JA3/JA4 hashes that differ from legitimate browsers. Flag connections to IPs with self-signed, recently issued, or free (Let's Encrypt) certificates that do not match the claimed domain
Proxy / Web Gateway Logs	Uncommon User-Agent strings and request patterns	Flag HTTP/HTTPS connections with missing, unusual, or known-malware User-Agent strings. Monitor for POST requests with unusually large bodies to uncommon domains, and connections to newly registered or low-reputation domains
Threat Intelligence	Known C2 infrastructure	Correlate network connections with threat intelligence feeds (C2 IP lists, domain blocklists, JA3 hash databases). Services like C2 Tracker maintain updated lists of known C2 infrastructure
Endpoint / EDR	Process network activity	Flag processes that make persistent outbound connections to external IPs, especially from user-writable directories, unsigned binaries, or processes that should not have network activity (e.g., notepad.exe, calc.exe)

Splunk Detection Queries

Query 1: Beaconing Detection via Connection Interval Analysis

Identifies hosts making regular-interval connections to external destinations, a hallmark of C2 beaconing that also carries exfiltrated data.

index=firewall OR index=proxy dest_port=443
| bin _time span=5m
| stats count dc(_time) as time_slots by src_ip dest_ip
| where time_slots > 50 AND count > 100
| eval beacon_score=round(count/time_slots,2)
| where beacon_score > 1.5 AND beacon_score < 3
| sort -beacon_score
| table src_ip dest_ip count time_slots beacon_score

Query 2: Asymmetric Upload Traffic (Upload-Heavy Connections)

Detects connections where the source sends significantly more data than it receives, which may indicate data exfiltration over C2.

index=firewall OR index=proxy
| stats sum(bytes_out) as total_out sum(bytes_in) as total_in by src_ip dest_ip
| eval ratio=if(total_in>0, round(total_out/total_in,2), 999)
| where total_out > 104857600 AND ratio > 10
| eval MB_sent=round(total_out/1048576,1)
| eval MB_received=round(total_in/1048576,1)
| sort -total_out
| table src_ip dest_ip MB_sent MB_received ratio

Query 3: DNS Tunneling Indicators

Detects potential DNS-based exfiltration by identifying domains receiving an unusual volume of queries with long, high-entropy subdomain labels.

index=dns
| rex field=query "(?P<subdomain>[^.]+)\.(?P<domain>[^.]+\.[^.]+)$"
| eval sub_len=len(subdomain)
| where sub_len > 30
| stats count avg(sub_len) as avg_sub_len dc(subdomain) as unique_subs by domain src_ip
| where count > 50 AND unique_subs > 20 AND avg_sub_len > 30
| sort -count
| table src_ip domain count unique_subs avg_sub_len

Query 4: Suspicious Process Network Connections

Detects processes that should not normally make outbound network connections communicating with external hosts, which may indicate a malware implant with C2 and exfiltration capabilities.

index=windows source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3
NOT DestinationIsIpv6=true
(Image="*\\notepad.exe" OR Image="*\\calc.exe" OR Image="*\\mspaint.exe"
  OR Image="*\\write.exe" OR Image="*\\wordpad.exe" OR Image="*\\help.exe")
AND NOT (DestinationIp="10.*" OR DestinationIp="172.16.*" OR DestinationIp="192.168.*"
  OR DestinationIp="127.*")
| table _time host user Image DestinationIp DestinationPort DestinationHostname
| sort -_time

Known Threat Actors and Malware

T1041 is used by virtually every threat actor that operates malware with C2 capabilities. The following is a representative selection organized by category.

State-Sponsored Espionage

Actor / Malware	Attribution	T1041 Usage
APT29 / SUNBURST / GoldMax	Russia (SVR)	Exfiltration disguised as SolarWinds telemetry over HTTP; GoldMax uses HTTPS C2 for data theft
APT28 / ADVSTORESHELL	Russia (GRU)	Exfiltrates data over the same custom channel used for C2; Zebrocy sends encoded data via HTTP POST
Gamaredon / Shuckworm	Russia (FSB)	Continuous exfiltration of documents from Ukrainian government systems over rotating C2 infrastructure (2022-2025)
APT30 (Naikon)	China	BACKSPACE and FLASHFLOOD exfiltrate data over their C2 channels in long-running Southeast Asian espionage
APT32 (OceanLotus)	Vietnam	Backdoor exfiltrates collected data over its HTTPS C2 channel
APT39 (Chafer/Remexi)	Iran	Remexi malware exfiltrates collected data via its C2 communications
ArcaneDoor (Cisco ASA)	Unknown (espionage)	Custom C2 channel exfiltration from compromised perimeter VPN devices (2024)
Contagious Interview / InvisibleFerret	North Korea	Cross-platform C2 exfiltration of files, credentials, and browser data from developer workstations

Infostealers and Commodity Malware

Malware	T1041 Usage
Raccoon Stealer v2	HTTPS POST with base64-encoded stolen credentials and wallet data to C2 server
Redline Stealer	Encodes harvested browser data, credentials, and system info for C2 channel transmission
Amadey	Reports collected system data and downloaded module results to C2 via HTTP
Azorult	Exfiltrates browser credentials, cryptocurrency wallets, and documents over C2
QakBot (QBot)	Encodes collected data in regular C2 callbacks using the same encryption protocol
Astaroth / Guildma	Exfiltrates stolen credentials and keystrokes over established C2 connection
Grandoreiro	Banking trojan that exfiltrates financial data through its C2 channel

Post-Exploitation Frameworks and RATs

Tool	T1041 Usage
Cobalt Strike	Beacon exfiltrates files and command output in periodic HTTPS/DNS callbacks; malleable C2 profiles disguise traffic
Sliver	Open-source C2 framework with built-in file exfiltration over its C2 channel (HTTP, mTLS, WireGuard, DNS)
Brute Ratel C4	Post-exploitation framework with C2 exfiltration using encrypted channels and evasive beaconing
Pupy RAT	Cross-platform RAT exfiltrating data over its reflective, encrypted C2 channel
Empire	PowerShell-based framework with C2 exfiltration over HTTP/HTTPS
XCSSET	macOS malware that exfiltrates data over its C2 channel, with new obfuscation techniques observed in 2025

Defensive Recommendations

1. Invest in C2 detection capabilities

Because T1041 is inseparable from C2 communication, the most effective defense against C2-channel exfiltration is robust C2 detection. Deploy network detection tools that analyze beaconing patterns (regular-interval callbacks to external hosts), JA3/JA4 TLS fingerprinting (comparing client TLS handshakes against known-good profiles), and DNS analytics (detecting tunneling, DGA domains, and unusual query patterns). The Picus Blue Report 2025 found that detection thresholds for C2 activity are dangerously low — increasing C2 detection capability directly reduces T1041 risk.

2. Deploy TLS inspection on outbound traffic

The majority of C2 and exfiltration traffic uses HTTPS. Without TLS inspection, security devices can see the destination IP and domain but cannot inspect the payload content. Deploy TLS inspection (SSL/TLS decryption) on outbound traffic to enable content inspection of HTTPS connections. This allows detection of encoded data, anomalous POST body content, and known malware communication patterns within encrypted traffic. Be mindful of privacy regulations and operational impact — configure bypass rules for sensitive categories like banking and healthcare.

3. Implement DNS monitoring and filtering

DNS-based exfiltration bypasses traditional network monitoring because DNS traffic is almost never inspected in detail. Deploy DNS monitoring that analyzes query patterns for tunneling indicators: high query volumes to a single domain, long or high-entropy subdomain labels, TXT/NULL record queries, and NXDOMAIN responses at scale. DNS filtering services (threat intelligence-informed DNS resolvers) can block known C2 domains and detect DGA-generated domains used for C2 and exfiltration.

4. Monitor outbound data volumes per host

While sophisticated adversaries throttle exfiltration to avoid detection, many attacks still produce detectable upload volume anomalies. Baseline normal outbound data volumes per host and alert when a host exceeds its historical average by a significant margin, even for connections to seemingly legitimate destinations. Focus on upload-to-download ratios — normal web browsing and cloud usage produces download-heavy traffic, while C2 exfiltration produces upload-heavy traffic.

5. Block connections to known C2 infrastructure

Subscribe to threat intelligence feeds that track active C2 infrastructure (IP addresses, domains, JA3 hashes) and configure network security devices to block connections to these indicators. While this does not catch novel or rapidly-rotating infrastructure, it eliminates risk from known C2 servers and provides a baseline level of protection. Services like C2 Tracker, Abuse.ch, and commercial threat intelligence platforms maintain regularly updated C2 indicator lists.

6. Enforce application-level egress controls

Configure firewalls and proxies to enforce application-level egress policies that restrict which processes can make outbound connections and to which destinations. Workstations should only need to connect to business-approved websites, cloud services, and internal resources. Blocking direct internet access from servers (requiring all connections to go through a proxy) prevents many implants from establishing C2 connections and therefore prevents T1041 exfiltration.

7. Implement network segmentation

Segment high-value data stores (databases, file servers, domain controllers) on network segments with restricted internet access. If these systems cannot reach the internet directly, malware on these systems cannot establish C2 channels or exfiltrate data via T1041. Data must be accessed through controlled jump servers or application gateways that enforce logging and access controls.

8. Deploy endpoint detection for C2 indicators

Configure EDR to detect process-level indicators of C2 communication: processes in user-writable directories making persistent outbound connections, unsigned binaries with network activity, processes with injected code that generate network traffic, and applications that communicate with recently registered or low-reputation domains. Endpoint-level detection catches C2 and exfiltration activity even when network-level monitoring fails due to encryption or tunneling.

MITRE ATT&CK Mapping

Field	Value
Technique ID	T1041
Technique Name	Exfiltration Over C2 Channel
Tactics	Exfiltration (TA0010)
Platforms	Windows, Linux, macOS
Sub-Techniques	None (no sub-techniques defined)
Data Sources	Network Traffic (Flow, Content), File (Access), Command (Execution)
Mitigations	Network Intrusion Prevention (M1031), Data Loss Prevention (M1057)
Version	2.2 (last modified April 2023)
MITRE Reference	attack.mitre.org/techniques/T1041

Sources and References

• MITRE ATT&CK — T1041 Exfiltration Over C2 Channel: attack.mitre.org
• Elastic Security — Exfiltration Over C2 Channel: Detection with ES|QL (2025): elastic.co
• FireEye/Mandiant — SUNBURST Backdoor Analysis: mandiant.com
• Cisco Talos — ArcaneDoor: New Espionage Campaign Targeting Perimeter Network Devices (2024): talosintelligence.com
• ESET — Cyberespionage the Gamaredon Way: Analysis of Toolset Used to Spy on Ukraine (2024): welivesecurity.com
• Symantec — Shuckworm Targets Foreign Military Mission Based in Ukraine (2025): security.com
• Picus Security — Red Report 2025 and Red Report 2026: picussecurity.com
• Red Canary — Atomic Red Team T1041 Tests: github.com