T1001.002: Steganography
Adversaries may use steganographic techniques to hide command and control traffic to make detection efforts more difficult. Steganographic techniques can be used to hide data in digital messages that are transferred between systems. This hidden information can be used for command and control of compromised systems. In some cases, the passing of files embedded using steganography, such as image or document files, can be used for command and control.
Analyst context for executives and security teams
Steganography matters because it can make command-and-control traffic look like ordinary digital content, such as image or document files, rather than obvious malware traffic. For leaders, the practical issue is whether the organization can correlate file movement with network behavior well enough to spot hidden C2 across Windows, Linux, macOS, and ESXi environments.
Executive priority
Treat this as a control-validation problem for C2 resilience, not just a malware-analysis topic. Ask whether network boundary inspection, file telemetry, and SOC correlation are strong enough to investigate suspicious file-based communications, especially on servers and platforms where logging may be weaker. The ATT&CK relationships show use across multiple malware families and a campaign/group context, but they do not by themselves indicate current exposure or attribution to any environment.
Technical view
This is a command-and-control sub-technique under Data Obfuscation. Because ATT&CK provides no official detection text, SOC teams should map coverage to the related detection strategy DET0235: correlating files with network activity. Validate visibility for inbound and outbound transfers of image/document-like content, network boundary alerts, and unusual C2-like patterns across Linux, macOS, Windows, and ESXi. Relationship context includes Windows-heavy software examples, plus Linux/macOS coverage in some related software, so do not limit validation to a single endpoint platform.
Likely telemetry
- Network session and flow records for outbound and inbound communications
- Proxy, web gateway, firewall, IDS, and IPS logs at network boundaries
- File transfer metadata and retained samples where legally and operationally permitted
- Endpoint or server file creation/modification telemetry for received or staged image/document-like files
- Email or messaging telemetry where file-based communications are in scope
Detection direction
- Use file-plus-network correlation rather than relying only on content inspection; steganography is specifically intended to make C2 harder to recognize.
- Tune for suspicious combinations: repeated file transfers, unusual destinations, boundary alerts, and file activity on systems that do not normally exchange such content.
- Account for false positives from legitimate image, document, marketing, engineering, and user-generated content workflows.
- Validate ATT&CK mapping against DET0235 if that strategy is implemented locally; ATT&CK does not provide native detection logic for this sub-technique.
- Review blind spots on non-user endpoints, servers, and ESXi environments, where file and network telemetry may be less complete.
Mitigation priorities
- Prioritize M1031 Network Intrusion Prevention at network boundaries using intrusion detection signatures to block or alert on relevant traffic.
- Ensure boundary controls produce evidence the SOC can correlate with file activity and incident timelines.
- Sequence control validation from highest-risk egress points and server networks before expanding to lower-risk segments.
- Do not depend on a single signature or content rule; use layered network prevention, logging, and investigation workflows.
Analyst notes and limits
The relationship set ties this behavior to Data Obfuscation, Operation Ghost, Axiom, and multiple software entries including HAMMERTOSS, Duqu, Daserf, ZeroT, LightNeuron, RDAT, SUNBURST, Sliver, Zox, LunarWeb, and LunarMail. Use these as ATT&CK context for threat modeling and detection prioritization, not as proof of activity in a specific environment.
Official ATT&CK detection guidance is not provided for this object. The recommendations above are limited to the supplied description, platforms, tactic, DET0235 detection-strategy relationship, M1031 mitigation relationship, and listed use relationships. Local telemetry, file-retention policy, legal constraints, and normal business file-transfer patterns are required to assess actual coverage.
Steganography
Adversaries may use steganographic techniques to hide command and control traffic to make detection efforts more difficult. Steganographic techniques can be used to hide data in digital messages that are transferred between systems. This hidden information can be used for command and control of compromised systems. In some cases, the passing of files embedded using steganography, such as image or document files, can be used for command and control.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1001 | Data Obfuscation | This object subtechnique of Data Obfuscation. |
Groups, software, and campaigns
G0001: Axiom
Axiom is a suspected Chinese cyber espionage group that has targeted the aerospace, defense, government, manufacturing, and media sectors since at least 2008. Some reporting suggests a degree of overlap between Axiom and Winnti Group but the two groups appear to be distinct based on differences in reporting on TTPs and targeting.[1][2][3]
S1141: LunarWeb
LunarWeb is a backdoor that has been used by Turla since at least 2020 including in a compromise of a European ministry of foreign affairs (MFA) together with LunarLoader and LunarMail. LunarWeb has only been observed deployed against servers and can use Steganography to obfuscate command and control.[1]
S0037: HAMMERTOSS
HAMMERTOSS is a backdoor that was used by APT29 in 2015. [1] [2]
S0633: Sliver
S0672: Zox
S0395: LightNeuron
LightNeuron is a sophisticated backdoor that has targeted Microsoft Exchange servers since at least 2014. LightNeuron has been used by Turla to target diplomatic and foreign affairs-related organizations. The presence of certain strings in the malware suggests a Linux variant of LightNeuron exists.[1]
S0230: ZeroT
S0187: Daserf
S0495: RDAT
S1142: LunarMail
LunarMail is a backdoor that has been used by Turla since at least 2020 including in a compromise of a European ministry of foreign affairs (MFA) in conjunction with LunarLoader and LunarWeb. LunarMail is designed to be deployed on workstations and can use email messages and Steganography in command and control.[1]
S0038: Duqu
S0559: SUNBURST
C0023: Operation Ghost
Operation Ghost was an APT29 campaign starting in 2013 that included operations against ministries of foreign affairs in Europe and the Washington, D.C. embassy of a European Union country. During Operation Ghost, APT29 used new families of malware and leveraged web services, steganography, and unique C2 infrastructure for each victim.[1]
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 217e0ed990d0… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
University of Birmingham C2
Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
Open source URL -
[2]
mitre-attack T1001.002Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.