S0443: MESSAGETAP
MESSAGETAP is a data mining malware family deployed by APT41 into telecommunications networks to monitor and save SMS traffic from specific phone numbers, IMSI numbers, or that contain specific keywords. [1]
Analyst context for executives and security teams
MESSAGETAP matters because it represents malware designed for telecommunications environments on Linux, with the stated purpose of monitoring and saving SMS traffic tied to selected phone numbers, IMSI numbers, or keywords. For leaders, the issue is not just malware cleanup; it is whether sensitive communications infrastructure has enough visibility to prove that subscriber-message data was not being passively collected, staged, archived, or erased from view.
Executive priority
Prioritize this as a resilience, privacy, and evidence-readiness concern for telecom or telecom-adjacent environments. Executives should ask whether Linux systems that can observe messaging traffic are in scope for managed detection, incident response logging, privileged access review, and compliance evidence retention. ATT&CK relates MESSAGETAP to APT41 and to behaviors including network sniffing, discovery, automated collection, local staging, custom archiving, and file deletion, so response planning should account for both data exposure and anti-forensic activity.
Technical view
SOC and IR teams should validate Linux visibility around systems positioned to observe network or messaging traffic. Because ATT&CK provides no official detection text for MESSAGETAP, coverage should be built from the related behaviors: T1040 Network Sniffing, T1049 System Network Connections Discovery, T1083 File and Directory Discovery, T1119 Automated Collection, T1074.001 Local Data Staging, T1560.003 Archive via Custom Method, T1140 Deobfuscate/Decode Files or Information, and T1070.004 File Deletion. Detection engineering should focus on unusual packet capture or promiscuous-mode activity, unexpected enumeration of connections/files, repeated collection matching criteria, suspicious local staging or custom archive artifacts, and deletion of recently created tools or data files.
Likely telemetry
- Linux process execution and command-line telemetry
- Linux file creation, modification, staging, archive, and deletion events
- Network interface state changes, including promiscuous-mode or packet-capture indicators where collected
- Network flow or packet metadata from sensitive telecommunications segments
- System network connection listings and related audit logs
Detection direction
- Start with asset scoping: identify Linux hosts and network positions that could observe SMS or subscriber-related traffic.
- Validate whether packet capture, sniffing, or interface-mode changes are logged; this is a common blind spot for T1040-style behavior.
- Tune discovery detections for context: network/file enumeration can be administrative, but becomes higher priority on messaging infrastructure or when followed by staging, archiving, or deletion.
- Correlate collection indicators with local staging and custom archive creation rather than relying on a single malware signature.
- Look for anti-forensic sequences such as file deletion after collection or tool execution.
Mitigation priorities
- Segment and tightly control access to Linux systems that can observe telecommunications or messaging traffic.
- Restrict privileged access and administrative tooling on systems in sensitive network paths.
- Ensure logging retention covers Linux host activity, file operations, network connection discovery, and network interface changes.
- Use file integrity monitoring and change control for critical messaging infrastructure and packet-observing systems.
- Prepare incident response procedures for suspected data collection, including preservation of volatile network/process evidence and review of staged or deleted files.
Analyst notes and limits
The supplied ATT&CK object identifies MESSAGETAP as a Linux malware family deployed into telecommunications networks to monitor and save SMS traffic matching phone numbers, IMSI numbers, or keywords. ATT&CK links it to APT41 and several techniques that describe sniffing, discovery, collection, staging, custom archiving, decoding/deobfuscation, and file deletion. This take translates those relationships into defensive validation priorities rather than asserting current activity or guaranteed detection.
ATT&CK provides no official detection text, no explicit tactics on the malware object, no aliases, and only Linux as the stated platform. Recommendations therefore depend on the related techniques and the official description. Local architecture, telecom platform design, logging depth, and lawful operational monitoring practices are required to determine what is abnormal.
MESSAGETAP
MESSAGETAP is a data mining malware family deployed by APT41 into telecommunications networks to monitor and save SMS traffic from specific phone numbers, IMSI numbers, or that contain specific keywords. [1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1070.004 | File Deletion Sub-technique | Once loaded into memory, MESSAGETAP deletes the keyword_parm.txt and parm.txt configuration files from disk. CitationFireEye MESSAGETAP October 2019 |
| Enterprise | T1040 | Network Sniffing | MESSAGETAP uses the libpcap library to listen to all traffic and parses network protocols starting with Ethernet and IP layers. It continues parsing protocol layers including SCTP, SCCP, and TCAP and finally extracts SMS message data and routing metadata. CitationFireEye MESSAGETAP October 2019 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | After checking for the existence of two files, keyword_parm.txt and parm.txt, MESSAGETAP XOR decodes and read the contents of the files. CitationFireEye MESSAGETAP October 2019 |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | MESSAGETAP stored targeted SMS messages that matched its target list in CSV files on the compromised system.CitationFireEye MESSAGETAP October 2019 |
| Enterprise | T1049 | System Network Connections Discovery | After loading the keyword and phone data files, MESSAGETAP begins monitoring all network connections to and from the victim server. CitationFireEye MESSAGETAP October 2019 |
| Enterprise | T1560.003 | Archive via Custom Method Sub-technique | MESSAGETAP has XOR-encrypted and stored contents of SMS messages that matched its target list. CitationFireEye MESSAGETAP October 2019 |
| Enterprise | T1119 | Automated Collection | MESSAGETAP checks two files, keyword_parm.txt and parm.txt, for instructions on how to target and save data parsed and extracted from SMS message data from the network traffic. If an SMS message contained either a phone number, IMSI number, or keyword that matched the predefined list, it is saved to a CSV file for later theft by the threat actor.CitationFireEye MESSAGETAP October 2019 |
| Enterprise | T1083 | File and Directory Discovery | MESSAGETAP checks for the existence of two configuration files (keyword_parm.txt and parm.txt) and attempts to read the files every 30 seconds.CitationFireEye MESSAGETAP October 2019 |
Groups, software, and campaigns
G0096: APT41
APT41 is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, APT41 has been observed targeting various industries, including but not limited to healthcare, telecom, technology, finance, education, retail and video game industries in 14 countries.[1] Notable behaviors include using a wide range of malware and tools to complete mission objectives. APT41 overlaps at least partially with public reporting on groups including BARIUM and Winnti Group.[2][3]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | bb2c80b86095… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
FireEye MESSAGETAP October 2019
Leong, R., Perez, D., Dean, T. (2019, October 31). MESSAGETAP: Who’s Reading Your Text Messages?. Retrieved May 11, 2020.
Open source URL -
[2]
mitre-attack S0443Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.