T1048: Exfiltration Over Alternative Protocol

T1048 sits within the Exfiltration tactic of the MITRE ATT&CK framework and is one of the most broadly applicable exfiltration techniques because it can leverage nearly any network protocol the target environment permits. The core logic is simple: if the C2 channel operates over HTTPS, the exfiltration moves over DNS. If C2 runs over DNS, exfiltration shifts to FTP or cloud storage APIs. This protocol separation means that blocking or monitoring the C2 channel alone will not stop data theft. Security teams that focus detection exclusively on known C2 indicators miss the parallel exfiltration entirely.

The Picus Red Report 2026 found that data exfiltration prevention rates have collapsed to just 3%, down from 9% in the previous year. In the ransomware ecosystem, double extortion has become the dominant model — 96% of ransomware attacks in Q3 2025 attempted to steal data before encrypting systems. Exfiltration over alternative protocols is a primary mechanism for achieving that data theft, and T1048 ranks among the top 10 techniques observed across ransomware groups tracked in early 2026.

How Alternative Protocol Exfiltration Works

The exfiltration chain begins after an adversary has already achieved access, performed discovery, and staged data for collection. The attacker selects a protocol that is different from the one used for C2 communication, then transfers the collected data through that alternative channel. The choice of protocol depends on what the target environment allows and what is least likely to trigger security alerts.

At the network level, the process follows a consistent pattern. First, the adversary stages collected data — compressing, encrypting, or encoding files into a format suitable for transfer over the chosen protocol. Second, the adversary establishes a connection to an external endpoint they control using the alternative protocol. Third, the data is transferred incrementally or in bulk, depending on the protocol's capacity and the adversary's operational security requirements. Fourth, the receiving infrastructure reassembles the data on the attacker-controlled server.

The alternative protocol may be entirely separate from the C2 channel, using different infrastructure and different network paths. Or it may use the same destination server but a different port or protocol. In either case, the key characteristic is that data theft and command-and-control operate on distinct protocol channels, requiring defenders to maintain visibility across both.

Sub-Techniques

T1048.001 — Exfiltration Over Symmetric Encrypted Non-C2 Protocol

Adversaries use symmetric encryption algorithms (AES, RC4, ChaCha20) to encrypt data and then exfiltrate it over a protocol that is not part of the C2 channel. This creates multiple layers of protection: the data itself is encrypted with a shared key, and it travels over a protocol the security team may not be actively inspecting. The symmetric key must be pre-arranged or exchanged through the C2 channel, but once established, the exfiltration operates independently. This approach is common in sophisticated espionage operations where the data's confidentiality during transit is a primary concern.

T1048.002 — Exfiltration Over Asymmetric Encrypted Non-C2 Protocol

Rather than shared keys, adversaries use public-key cryptography (RSA, ECDH) to protect exfiltrated data. The adversary embeds a public key in the malware, encrypts collected data using that key, and transmits it over a non-C2 protocol such as HTTPS to attacker infrastructure or to a legitimate cloud service. Only the adversary's private key can decrypt the data. Protocols that natively support asymmetric encryption — HTTPS, TLS, and SSH — provide built-in cover because the encrypted traffic looks identical to legitimate encrypted web or file transfer traffic. The Black Basta ransomware group has been observed using SFTP with asymmetric encryption for data exfiltration operations.

T1048.003 — Exfiltration Over Unencrypted Non-C2 Protocol

This is the broadest sub-technique and encompasses everything from raw FTP and HTTP uploads to DNS tunneling and ICMP-based data smuggling. The data may be obfuscated (Base32/Base64 encoded, XOR-scrambled) but is not formally encrypted. This sub-technique is the most commonly observed in the wild because it has the lowest implementation barrier — an attacker with shell access can use built-in tools like curl, ftp, scp, or DNS query utilities to move data without installing additional software. On macOS and Linux systems, curl is particularly favored because it supports HTTP/S and FTP natively with a single command.

Exfiltration Channels

DNS Tunneling

DNS is the single most abused protocol for covert exfiltration because DNS traffic is almost universally permitted through firewalls, rarely inspected at the content level, and generated in enormous volume by normal operations. In a DNS exfiltration attack, the adversary encodes stolen data into DNS query labels — subdomains of an attacker-controlled domain — and transmits them as standard DNS lookups. Each query can carry a small payload (up to approximately 253 bytes per label, though practical limits are lower), so the malware continuously generates queries until all data is transferred.

The attacker's authoritative DNS server receives the queries, strips out the encoded data, and reassembles the original files. Responses from the DNS server can carry instructions back to the malware using DNS TXT, CNAME, or A records, creating a bidirectional tunnel that handles both C2 and exfiltration within the DNS protocol. Because DNS domains have character restrictions, data is typically encoded in Base32 (case-insensitive and avoids special characters). Tools like DNSExfiltrator, Iodine, DNSCat, and Cobalt Strike's DNS beacon automate this entire process.

The Infoblox 2025 DNS Threat Landscape Report processed over 70 billion DNS queries per day across 13,000 customer environments and identified 100.8 million newly observed domains in a single year, with more than 25% classified as malicious or suspicious. Between August and November 2025 alone, over 7.6 million new threat-related domains were discovered — a 20% increase over the prior quarter. DNS tunneling, exfiltration, and C2 traffic (including Cobalt Strike, Sliver, and custom tools) are now detected daily at enterprise scale.

ICMP Tunneling

ICMP (the protocol behind ping) was designed to carry small diagnostic payloads, but attackers repurpose the data field in ICMP echo request and reply packets to smuggle stolen information. Because ICMP is not a transport protocol and does not use ports, it bypasses many firewall rules and intrusion detection systems that focus on TCP/UDP traffic. The data payload in each ICMP packet is small, making this method best suited for exfiltrating credentials, configuration files, encryption keys, and other compact but high-value data. Tools written in Python and PowerShell can automate the chunking, encoding, and reassembly of files over ICMP.

A critical visibility gap exists for ICMP-based exfiltration: endpoint telemetry tools like Sysmon record TCP and UDP connections but do not capture ICMP flows, meaning the exfiltration may leave no trace on the endpoint. Detection must happen at the network level, monitoring for abnormal ICMP traffic volume, unusually large ICMP packet payloads, or sustained ICMP communication between an internal host and an external IP address.

Cloud Storage and Legitimate Services

Adversaries upload stolen data to cloud platforms — Google Drive, Dropbox, Amazon S3, Microsoft OneDrive, MEGA — using the platform's native APIs or legitimate client tools. This traffic is extremely difficult to distinguish from normal business use because it flows to trusted cloud provider infrastructure over HTTPS. Tools like Rclone, MEGAsync, and AADInternals facilitate this approach. Rclone in particular has become the dominant exfiltration tool in ransomware operations, appearing in 57% of all data theft incidents tracked by ReliaQuest between September 2023 and July 2024. Its appeal comes from compatibility with dozens of cloud providers, fast transfer speeds, cross-platform support, and the ability to rename the binary to evade static detection.

FTP, SFTP, and SCP

File transfer protocols remain a staple of exfiltration operations. WinSCP (supporting SFTP and SCP) is the second most popular exfiltration tool observed in ransomware incidents. In one documented case, approximately 732 gigabytes of data were transferred to external infrastructure over a 24-hour period using WinSCP. The Play ransomware group, which has impacted approximately 900 entities as of May 2025 according to FBI reporting, uses WinRAR to archive collected data and WinSCP to transfer it to actor-controlled servers.

SMTP / Email-Based Exfiltration

Adversaries can exfiltrate data by attaching it to outbound email messages or encoding it within email body content. This is particularly effective in environments where email is a core business function and outbound SMTP traffic is expected. The Iranian threat group OilRig (APT34) has evolved its exfiltration techniques from heavy reliance on DNS-based C2 to combining DNS tunneling with SMTP exfiltration through compromised mailbox accounts, sending stolen data from internal mailboxes to external addresses controlled by the attackers.

Real-World Case Studies

SUNBURST / SolarWinds — DNS as the Exfiltration Backbone

The SUNBURST supply chain attack, attributed to the Russian threat group tracked as NOBELIUM (formerly UNC2452), represents the highest-profile use of DNS-based exfiltration in modern history. The backdoor, embedded in a trojanized SolarWinds Orion software update distributed to approximately 18,000 organizations, used a domain generation algorithm to construct subdomains of avsvmcloud[.]com and resolved them through standard DNS queries. Encoded information about the infected host — including the Active Directory domain name — was transmitted within the subdomain labels themselves.

The DNS layer served as both a C2 coordinator and a data exfiltration channel. The authoritative DNS server for the attacker's domain interpreted the encoded queries and used DNS response records (A records, CNAME redirects) to send instructions back to the malware. To avoid detection, SUNBURST introduced random delays between DNS requests, waiting up to 120 minutes between queries for each victim domain. It also waited 12 to 14 days after installation before initiating any network communication. Larger data payloads exceeding 10,000 bytes were transmitted over HTTP using fake SolarWinds Orion Improvement Program messages, creating a hybrid exfiltration approach that leveraged both DNS and HTTP as alternative channels. The attack remained undetected for approximately eight months.

OilRig (APT34) — Custom DNS Tunneling for Middle Eastern Espionage

OilRig, an Iranian state-sponsored group operating since at least 2014, has made DNS tunneling a signature component of its operations. The group developed custom tools including DNSExfiltrator and DNSpionage specifically for DNS-based C2 and data movement, targeting government, energy, telecommunications, and financial organizations across the Middle East. In a 2019 campaign against Gulf-region oil and gas companies, OilRig used DNS tunneling to exfiltrate sensitive data while keeping the exfiltration traffic indistinguishable from normal DNS resolution.

In 2024, a campaign targeting Iraqi government infrastructure deployed two backdoors — Veaty and Spearal — that used a custom DNS tunneling protocol for C2 and exfiltration. Spearal, a .NET backdoor, encoded all communication within DNS queries to attacker-controlled domains. OilRig has since evolved to combine DNS tunneling with email-based exfiltration through compromised Microsoft Exchange mailboxes, demonstrating the group's ability to adapt its alternative protocol choices as defenders improve DNS monitoring. Recent campaigns in 2025 have targeted energy and defense companies across Europe and the Middle East using compromised Microsoft 365 accounts and Azure persistence mechanisms.

Detour Dog — 30,000 Hosts and 2 Million DNS Queries per Hour

The Detour Dog threat operation, tracked by Infoblox in late 2025, illustrates the scale that DNS-based exfiltration can reach. The campaign's infrastructure used DNS TXT record responses to deliver Base64-encoded instructions that triggered infected hosts to fetch and execute malicious code. When researchers attempted to sinkhole the C2 domain in August 2025, traffic analysis revealed approximately 30,000 infected hosts, with spikes reaching over 2 million DNS TXT requests in a single hour. Detour Dog's infrastructure proved highly resilient: after the sinkhole attempt briefly interrupted operations, the attackers restored control within hours. The operation included a backdoor (StarFish) and the Strela Stealer infostealer, both orchestrated entirely through DNS.

Double Extortion Ransomware — Rclone, WinSCP, and the 72-Minute Timeline

Modern ransomware groups have industrialized T1048 exfiltration. The standard kill chain is consistent: compromise the initial foothold, escalate privileges, move laterally, collect data, exfiltrate, then encrypt. The exfiltration phase relies heavily on legitimate file transfer tools used over alternative protocols. Rclone, the most popular exfiltration tool across ransomware operations, can sync files to Google Drive, Amazon S3, Dropbox, MEGA, and FTP servers. Groups including LockBit, Black Basta, BlackSuit, Qilin, and Play all use Rclone or WinSCP. Attackers routinely rename the Rclone binary to evade static detection rules — for example, renaming rclone.exe to match legitimate system processes or backup utilities.

The PEAR (Pure Extraction and Ransom) group, which emerged in late 2025, operates exclusively through data theft and extortion without deploying encryption. In one documented incident, PEAR exfiltrated approximately 732 GB of data over a 24-hour period using WinSCP. In another case, the threat actor maintained network access for approximately six months before large-scale exfiltration began, demonstrating the patient staging that precedes alternative protocol data theft. Even when security tools detected and blocked individual credential dumping attempts, the attacker maintained access and eventually exfiltrated hundreds of gigabytes of data because the underlying access vector (compromised VPN credentials) was never revoked.

APT10 — 600 MB per Day via DNS

In 2017, the Chinese-attributed threat group APT10 was documented exfiltrating up to 600 MB of data per day using DNS queries and responses across organizations in the United States, Europe, and Japan. This throughput is significant for a protocol with inherently small per-query payload capacity, and it demonstrated that DNS exfiltration is not limited to small credential theft — with sufficient query volume, it can handle bulk document theft over extended periods.

Detection Strategies

Detecting T1048 requires monitoring across multiple protocol layers, not just the known C2 channel. The following data sources and indicators provide coverage for the most common alternative exfiltration protocols.

Detection Layer	What to Monitor	Key Indicators
DNS Traffic Analysis	DNS query logs, passive DNS, recursive resolver logs	High entropy in subdomain labels, unusually long FQDNs, excessive TXT record queries, high volume of queries to a single uncommon domain, queries with Base32/Base64-encoded subdomains
ICMP Monitoring	Network flow data, packet capture at egress	Sustained ICMP echo traffic to external IPs, ICMP packets with payloads significantly larger than standard 32/64-byte ping, ICMP traffic outside normal diagnostic patterns
Cloud Storage Access	Proxy logs, CASB, cloud API logs	Bulk uploads to personal cloud storage, connections to Rclone endpoints, MEGA/Dropbox API traffic from servers, large outbound transfers to cloud provider IP ranges
Network Flow Analysis	NetFlow/IPFIX, firewall logs	Unusual outbound volume on FTP (21/990), SFTP (22), SMTP (25/587), non-standard ports; connections to rare external destinations
Endpoint Process Monitoring	Sysmon Event ID 1, EDR telemetry	Execution of Rclone, WinSCP, FileZilla, MEGAsync, curl with external URLs; renamed binaries matching known exfiltration tool hashes
Email / SMTP	Mail gateway logs, Exchange transport rules	Large attachments to external addresses from service accounts, outbound email from compromised mailboxes to unknown recipients, unusual volume from a single sender

SIEM Detection Queries

The following Splunk queries target the most common T1048 exfiltration patterns.

DNS exfiltration detection (high-entropy subdomain queries):

| Detect DNS queries with unusually long subdomains indicative of data encoding
index=dns sourcetype="stream:dns" query_type IN ("A", "TXT", "CNAME")
| eval subdomain_length=len(mvindex(split(query, "."), 0))
| where subdomain_length > 50
| stats count dc(query) AS unique_queries BY src_ip query_type
| where unique_queries > 100 AND count > 500
| sort - count

Rclone or WinSCP execution detection:

| Detect exfiltration tool execution or renamed binaries
index=sysmon EventCode=1
| search (OriginalFileName IN ("rclone.exe", "WinSCP.exe", "MEGAsync.exe", "filezilla.exe"))
  OR (CommandLine="*rclone*copy*" OR CommandLine="*rclone*sync*"
      OR CommandLine="*winscp.com*" OR CommandLine="*/upload*")
| eval renamed=if(OriginalFileName!=Image, "YES", "NO")
| stats count BY Image OriginalFileName CommandLine User renamed
| sort - count

Anomalous outbound data volume by protocol:

| Identify hosts transferring abnormal data volume over non-HTTP protocols
index=firewall action=allowed direction=outbound
| search NOT dest_port IN (80, 443)
| stats sum(bytes_out) AS total_bytes dc(dest_ip) AS unique_dests BY src_ip dest_port
| where total_bytes > 104857600
| eval total_MB=round(total_bytes/1048576, 2)
| sort - total_bytes
| table src_ip dest_port total_MB unique_dests

Known Threat Actors

Actor	Origin	Context
NOBELIUM / Cozy Bear	Russia	SUNBURST supply chain attack using DNS tunneling and HTTP for hybrid exfiltration across 18,000 compromised organizations
OilRig / APT34	Iran	Custom DNS tunneling tools (DNSExfiltrator, DNSpionage, Spearal) combined with SMTP exfiltration through compromised Exchange mailboxes
APT10 / Stone Panda	China	Exfiltrating up to 600 MB per day over DNS from targets in the US, Europe, and Japan
Volt Typhoon	China	Living-off-the-land exfiltration using native OS utilities and legitimate protocols to maintain stealth in critical infrastructure
FIN6	Cybercrime	FrameworkPOS point-of-sale malware using DNS tunneling to exfiltrate credit card data from retail environments
Play Ransomware	Cybercrime	WinRAR archiving with WinSCP SFTP transfers for double extortion; approximately 900 affected entities reported by FBI as of May 2025
Black Basta	Cybercrime	Rclone for cloud storage exfiltration and cURL with temp.sh for targeted data theft in double extortion campaigns
PEAR Team	Cybercrime	Pure data extraction group using WinSCP and Rclone for terabyte-scale exfiltration without encryption deployment
Lazarus Group	North Korea	DeceptiveDevelopment campaign using unencrypted exfiltration over non-C2 channels targeting freelance developers
Thrip / Lotus Blossom	China	Exfiltration of satellite, telecom, and defense sector data using alternative protocols to evade C2 monitoring

Common Exfiltration Tools

Tool	Protocol(s)	Why Attackers Use It
Rclone	HTTPS, FTP, S3, SFTP	Open-source, supports 50+ cloud providers, fast transfers, easily renamed to evade detection. Found in 57% of ransomware exfiltration incidents.
WinSCP	SFTP, SCP, FTP	Legitimate IT administration tool, scriptable, supports large file transfers. Commonly used by Play and PEAR ransomware groups.
cURL	HTTP/S, FTP/S	Pre-installed on Linux/macOS, single-command exfiltration, supports multiple protocols natively.
MEGAsync	HTTPS (MEGA cloud)	End-to-end encrypted cloud storage, large free tier, difficult to distinguish from legitimate user activity.
DNSExfiltrator	DNS	Purpose-built for DNS data exfiltration, supports compression and encryption, used by OilRig and red teams.
Iodine / DNSCat	DNS	Full IPv4 tunnel over DNS, allowing shell access and file transfer through DNS queries alone.
Cobalt Strike DNS Beacon	DNS	Built-in DNS tunneling for C2 and exfiltration, widely used by both APT groups and ransomware affiliates.
FileZilla	FTP, SFTP	GUI-based file transfer, cross-platform, commonly installed by attackers post-compromise for bulk data theft.

Defensive Recommendations

1. Deploy DNS monitoring and analytics: Implement DNS security solutions that analyze query patterns in real time. Monitor for high-entropy subdomain labels, excessive TXT record queries, and abnormally high query volumes to single domains. Machine learning-based DNS analytics detect tunneling that signature-based rules miss. Ensure all internal DNS traffic routes through monitored recursive resolvers — block direct DNS to external servers on port 53.
2. Implement data loss prevention at network egress: Deploy DLP solutions at network perimeter points that inspect outbound traffic across protocols including FTP, SMTP, HTTP/S, and cloud storage APIs. DLP should monitor for sensitive data patterns (PII, financial records, source code, credentials) being transmitted to unauthorized external destinations.
3. Restrict and monitor exfiltration-capable tools: Maintain an allowlist of authorized file transfer utilities. Alert on the execution of Rclone, WinSCP, MEGAsync, FileZilla, and similar tools on systems where they are not expected. Use Sysmon's OriginalFileName field to detect renamed binaries. Block unauthorized installations of remote file transfer software via application control policies.
4. Monitor ICMP at the network layer: Because endpoint telemetry tools typically do not capture ICMP flows, network-level monitoring is the only reliable detection mechanism. Alert on sustained ICMP traffic to external IP addresses, ICMP packets with payloads exceeding standard diagnostic sizes, and any ICMP traffic patterns that deviate from normal ping and traceroute behavior.
5. Segment networks and restrict outbound protocols: Limit which internal systems can initiate outbound connections using protocols such as FTP, SFTP, and SMTP. Servers should not have direct outbound internet access unless business-justified. Implement strict egress filtering that allows only necessary protocols to known destinations. Use proxy servers for all outbound web traffic and inspect TLS connections where legally and technically feasible.
6. Baseline and alert on data transfer volumes: Establish baselines for normal outbound data volume by system, user, and protocol. Alert when a system transmits data volumes significantly above its baseline, especially over non-HTTP protocols or to uncommon cloud storage endpoints. Pay particular attention to large transfers occurring outside business hours or from systems that do not normally generate significant outbound traffic.
7. Secure DNS infrastructure: Deploy DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT) for internal DNS resolution to prevent DNS interception, while ensuring the encrypted DNS traffic is routed through monitored internal resolvers rather than external providers. Implement Response Policy Zones (RPZs) to block resolution of known malicious domains. Maintain threat intelligence feeds that update RPZ entries with newly identified threat-related domains.
8. Monitor cloud storage and email exfiltration vectors: Use Cloud Access Security Brokers (CASBs) to monitor and control uploads to personal cloud storage accounts. Implement Exchange transport rules that alert on unusual outbound email patterns from service accounts or compromised mailboxes. Monitor OAuth consent grants and API access patterns for signs of unauthorized cloud application access.

MITRE ATT&CK Mapping

Field	Value
Technique ID	T1048
Technique Name	Exfiltration Over Alternative Protocol
Tactics	Exfiltration
Platforms	Windows, Linux, macOS, ESXi, IaaS, Network Devices, Office Suite, SaaS
Sub-Techniques	T1048.001 Symmetric Encrypted Non-C2 Protocol, T1048.002 Asymmetric Encrypted Non-C2 Protocol, T1048.003 Unencrypted Non-C2 Protocol
Data Sources	Network Traffic (Content, Flow), Application Log (Content), File (Access), Command (Execution), Cloud Storage (Access)
Defenses Bypassed	C2-focused monitoring, protocol-specific firewalls, endpoint-only telemetry (for ICMP/DNS channels)
MITRE Reference	attack.mitre.org/techniques/T1048

Sources and References

• MITRE ATT&CK — T1048 Exfiltration Over Alternative Protocol: attack.mitre.org
• Picus Security — Red Report 2026: picussecurity.com
• Infoblox — 2025 DNS Threat Landscape Report: infoblox.com
• ReliaQuest — Exfiltration Tools Report (Rclone, WinSCP, cURL): reliaquest.com
• CISA — StopRansomware: Play Ransomware Advisory AA23-352A: cisa.gov
• Mandiant / Google Cloud — SUNBURST Additional Technical Details: cloud.google.com
• Check Point Research — OilRig Iraqi Government Campaign with DNS Tunneling: blog.checkpoint.com
• Infoblox — DNS Threat Landscape December 2025 (Detour Dog): blogs.infoblox.com
• Unit 42 — 2026 Global Incident Response Report: paloaltonetworks.com
• At-Bay — PEAR Team Threat Research: at-bay.com
• EfficientIP — 2025 DNS Threat Intelligence Report: efficientip.com