VOOZH about

URL: https://attack.mitre.org/techniques/T1001/001/

⇱ Data Obfuscation: Junk Data, Sub-technique T1001.001 - Enterprise | MITRE ATT&CK®

ATT&CKcon 7.0 is coming October 27-28, 2026. Learn more about ATT&CKcon 7.0 and submit your proposal.
  1. Home
  2. Techniques
  3. Enterprise
  4. Data Obfuscation
  5. Junk Data

Data Obfuscation: Junk Data

Other sub-techniques of Data Obfuscation (3)
ID Name
T1001.001 Junk Data
T1001.002 Steganography
T1001.003 Protocol or Service Impersonation

Adversaries may add junk data to protocols used for command and control to make detection more difficult.[1] By adding random or meaningless data to the protocols used for command and control, adversaries can prevent trivial methods for decoding, deciphering, or otherwise analyzing the traffic. Examples may include appending/prepending data with junk characters or writing junk characters between significant characters.

ID: T1001.001
Sub-technique of:  T1001
Platforms: ESXi, Linux, Windows, macOS
Version: 1.1
Created: 15 March 2020
Last Modified: 12 May 2026

Procedure Examples

ID Name Description
G0007 APT28

APT28 added "junk data" to each encoded string, preventing trivial decoding without knowledge of the junk removal algorithm. Each implant was given a "junk length" value when created, tracked by the controller software to allow seamless communication but prevent analysis of the command protocol on the wire.[2]
S1246 BeaverTail

BeaverTail has added junk data or a dummy character prepended to a string to hamper decoding attempts.[3]
S0574 BendyBear

BendyBear has used byte randomization to obscure its behavior.[4]
S0134 Downdelph

Downdelph inserts pseudo-random characters between each original character during encoding of C2 network requests, making it difficult to write signatures on them.[5]
S0588 GoldMax

GoldMax has used decoy traffic to surround its malicious network traffic to avoid detection.[6]
S0632 GrimAgent

GrimAgent can pad C2 messages with random generated values.[7]
S1020 Kevin

Kevin can generate a sequence of dummy HTTP C2 requests to obscure traffic.[8]
S9020 LODEINFO

LODEINFO can append C2 communication with randomly generated junk data.[9][10]
S1047 Mori

Mori has obfuscated the FML.dll with 200MB of junk data.[11]
S0016 P2P ZeuS

P2P ZeuS added junk data to outgoing UDP packets to peer implants.[12]
S0626 P8RAT

P8RAT can send randomly-generated data as part of its C2 communication.[13]
S0435 PLEAD

PLEAD samples were found to be highly obfuscated with junk code.[14][15]
S0559 SUNBURST

SUNBURST added junk bytes to its C2 over HTTP.[1]
S0682 TrailBlazer

TrailBlazer has used random identifier strings to obscure its C2 operations and result codes.[16]
S0647 Turian

Turian can insert pseudo-random characters into its network encryption setup.[17]
S1164 UPSTYLE

UPSTYLE retrieves a non-existent webpage from the command and control server then parses commands from the resulting error logs to decode commands to the web shell.[18]
S0022 Uroburos

Uroburos can add extra characters in encoded strings to help mimic DNS legitimate requests.[19]
S0514 WellMess

WellMess can use junk data in the Base64 string for additional obfuscation.[20]

Mitigations

ID Mitigation Description
M1031 Network Intrusion Prevention

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate some obfuscation activity at the network level.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0011 Detecting Junk Data in C2 Channels via Behavioral Analysis AN0030

Processes generating large outbound connections with disproportionate send/receive ratios, often to uncommon ports or hosts, potentially inserting meaningless data into protocol payloads.
AN0031

Outbound traffic with anomalous payload sizes and patterns from non-networking processes, often observed via packet inspection or connection logs.
AN0032

Previously unseen applications generating outbound connections with atypical data flow characteristics, such as excessive data with no return response.
AN0033

Anomalous traffic from ESXi host management daemons (like hostd or vpxa) embedding non-standard payloads in management protocols (e.g., HTTPS) or beaconing behavior.

References

  1. FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021.
  2. FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
  3. Matej Havranek. (2025, February 20). DeceptiveDevelopment targets freelance developers. Retrieved October 17, 2025.
  4. Harbison, M. (2021, February 9). BendyBear: Novel Chinese Shellcode Linked With Cyber Espionage Group BlackTech. Retrieved February 16, 2021.
  5. ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016.
  6. Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021.
  7. Priego, A. (2021, July). THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK. Retrieved September 19, 2024.
  8. Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022.
  9. Ishimaru, S. (2022, October 31). APT10: Tracking down LODEINFO 2022, part II. Retrieved April 17, 2026.
  10. Breitenbacher, D. (2022, December 14). Unmasking MirrorFace: Operation LiberalFace targeting Japanese political entities. Retrieved April 17, 2026.
  1. FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022.
  2. SecureWorks. (2012). The Lifecycle of Peer-to-Peer (Gameover) ZeuS. Retrieved August 19, 2015.
  3. GREAT. (2021, March 30). APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign. Retrieved June 17, 2021.
  4. Cherepanov, A.. (2018, July 9). Certificates stolen from Taiwanese tech‑companies misused in Plead malware campaign. Retrieved May 6, 2020.
  5. Bermejo, L., et al. (2017, June 22). Following the Trail of BlackTech’s Cyber Espionage Campaigns. Retrieved May 5, 2020.
  6. CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022.
  7. Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021
  8. Volexity Threat Research. (2024, April 12). Zero-Day Exploitation of Unauthenticated Remote Code Execution Vulnerability in GlobalProtect (CVE-2024-3400). Retrieved November 20, 2024.
  9. FBI et al. (2023, May 9). Hunting Russian Intelligence “Snake” Malware. Retrieved June 8, 2023.
  10. CISA. (2020, July 16). MAR-10296782-2.v1 – WELLMESS. Retrieved September 24, 2020.
×