T1132.002: Non-Standard Encoding
Adversaries may encode data with a non-standard data encoding system to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a non-standard data encoding system that diverges from existing protocol specifications. Non-standard data encoding schemes may be based on or related to standard data encoding schemes, such as a modified Base64 encoding for the message body of an HTTP request.[1][2]
Analyst context for executives and security teams
Non-Standard Encoding is a command-and-control behavior where adversaries transform C2 data using custom or modified encodings rather than recognizable protocol-compliant formats. The business issue is not the encoding itself; it is that ordinary content inspection, simple signatures, and standard decoders may miss the meaning of the traffic even when logs exist.
Executive priority
Treat this as a coverage question for C2 resilience: can the organization detect suspicious communication patterns when payload content is intentionally hard to interpret? Leaders should prioritize boundary visibility, egress monitoring, IDS/IPS governance, and incident response workflows that do not depend solely on decoding message bodies. This is not a vulnerability-management technique by itself, but it affects audit evidence and SOC readiness because teams must prove they can investigate abnormal C2 across Windows, Linux, macOS, and ESXi environments.
Technical view
ATT&CK lists this as a command-and-control sub-technique of Data Encoding for ESXi, Linux, macOS, and Windows. MITRE provides no standalone detection text, but the relationship to DET0326 indicates a behavior-chain detection approach for T1132.002 across those platforms. SOC teams should validate whether detections look beyond known Base64 or MIME patterns and correlate unusual outbound sessions, anomalous HTTP request bodies or other message content, endpoint process context, and repeatable beacon-like behavior. Relationship context shows use by multiple malware and backdoor families, so detections should be behavior-oriented rather than tied only to one tool name.
Likely telemetry
- Network IDS/IPS alerts and packet or flow metadata at network boundaries
- Proxy, web gateway, DNS, and firewall logs for outbound C2-like communication
- HTTP request and response metadata, including unusual message bodies where collection is permitted
- Endpoint process, command-line, network connection, and parent-child process telemetry on Windows, Linux, macOS, and ESXi where available
- Malware analysis or incident response artifacts that reveal custom encoding routines or modified standard encodings
Detection direction
- Validate coverage against non-standard or modified encodings, not only obvious Base64, ASCII, Unicode, or MIME use.
- Use behavior-chain logic consistent with DET0326: correlate encoded-looking content with suspicious process activity, repeated outbound communication, and unusual destination patterns.
- Tune carefully because legitimate applications may use proprietary encodings or compressed/serialized data; require contextual signals before escalating.
- Check blind spots where encrypted traffic, limited packet capture, missing proxy logs, or weak endpoint-network correlation prevent analysts from seeing the C2 pattern.
- Map detections to the parent Data Encoding technique T1132 so reporting distinguishes standard encoding from non-standard encoding when evidence supports it.
Mitigation priorities
- Use network intrusion prevention at boundaries as identified by M1031, including signatures or rules that can block known malicious traffic patterns.
- Prioritize egress monitoring and policy enforcement so unusual outbound C2 channels are visible and reviewable.
- Maintain endpoint and network telemetry together; content decoding alone may not be sufficient for this technique.
- During IR, preserve network samples and endpoint artifacts so analysts can determine whether custom encoding is present without assuming a specific malware family.
- Review detection engineering coverage across the listed ATT&CK platforms, especially where ESXi or non-Windows telemetry is less mature.
Analyst notes and limits
The ATT&CK object has no official detection text, so defensive guidance should be validated locally. The relationship set includes Kimsuky and numerous software objects such as Uroburos, BACKSPACE, Bankshot, InvisiMole, ShadowPad, Lizar, Small Sieve, PowGoop, NightClub, Ninja, Neo-reGeorg, TONESHELL, and others, which supports the view that this is a reusable C2 behavior rather than a single-family indicator.
This take is based only on the supplied ATT&CK fields and relationships. It does not establish current exploitation, customer exposure, attribution, or guaranteed detection. Local traffic baselines, logging depth, encryption visibility, and endpoint coverage will determine practical detectability.
Non-Standard Encoding
Adversaries may encode data with a non-standard data encoding system to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a non-standard data encoding system that diverges from existing protocol specifications. Non-standard data encoding schemes may be based on or related to standard data encoding schemes, such as a modified Base64 encoding for the message body of an HTTP request.[1][2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1132 | Data Encoding | This object subtechnique of Data Encoding. |
Groups, software, and campaigns
G0094: Kimsuky
Kimsuky is a Democratic People's Republic of Korea (DPRK)-based cyber espionage group that has been active since at least 2012. The group initially targeted South Korean government agencies, think tanks, and subject-matter experts in various fields. Its operations expanded to include the United Nations and organizations in the government, education, business services, and manufacturing sectors across the United States, Japan, Russia, and Europe. Kimsuky has focused collection on foreign policy and national security issues tied to the Korean Peninsula, nuclear policy, and sanctions. Kimsuky operations have overlapped with those of other North Korean state-sponsored cyber espionage actors as a result of ad hoc collaborations or other limited resource sharing.[1][2][3][4][5][6]
Kimsuky was assessed to be responsible for the 2014 Korea Hydro & Nuclear Power Co. compromise; other notable campaigns include Operation STOLEN PENCIL (2018), Operation Kabar Cobra (2019), and Operation Smoke Screen (2019).[7][8][9] In 2023, Kimsuky was observed using commercial large language models (LLMs) to assist with vulnerability research, scripting, social engineering and reconnaissance.[10]
DPRK threat actor cluster boundaries overlap in open source reporting, with some security researchers consolidating all attributed North Korean state-sponsored cyber activity under Lazarus Group, rather than tracking operationally distinct subgroups.
S0346: OceanSalt
OceanSalt is a Trojan that was used in a campaign targeting victims in South Korea, United States, and Canada. OceanSalt shares code similarity with SpyNote RAT, which has been linked to APT1.[1]
S1035: Small Sieve
Small Sieve is a Telegram Bot API-based Python backdoor that has been distributed using a Nullsoft Scriptable Install System (NSIS) Installer; it has been used by MuddyWater since at least January 2022.[1][2]
Security researchers have also noted Small Sieve's use by UNC3313, which may be associated with MuddyWater.[3]
S1239: TONESHELL
S1090: NightClub
NightClub is a modular implant written in C++ that has been used by MoustachedBouncer since at least 2014.[1]
S0495: RDAT
S0260: InvisiMole
InvisiMole is a modular spyware program that has been used by the InvisiMole Group since at least 2013. InvisiMole has two backdoor modules called RC2FM and RC2CL that are used to perform post-exploitation activities. It has been discovered on compromised victims in the Ukraine and Russia. Gamaredon Group infrastructure has been used to download and execute InvisiMole against a small number of victims.[1][2]
S0022: Uroburos
Uroburos is a sophisticated cyber espionage tool written in C that has been used by units within Russia's Federal Security Service (FSB) associated with the Turla toolset to collect intelligence on sensitive targets worldwide. Uroburos has several variants and has undergone nearly constant upgrade since its initial development in 2003 to keep it viable after public disclosures. Uroburos is typically deployed to external-facing nodes on a targeted network and has the ability to leverage additional tools and TTPs to further exploit an internal network. Uroburos has interoperable implants for Windows, Linux, and macOS, employs a high level of stealth in communications and architecture, and can easily incorporate new or replacement components.[1][2]
S1189: Neo-reGeorg
Neo-reGeorg is an open-source web shell designed as a restructuring of reGeorg with improved usability, security, and fixes for exising reGeorg bugs.[1]
S0031: BACKSPACE
S9007: HTTPTroy
HTTPTroy is a highly obfuscated backdoor that facilitates collection, command and control, defense evasion and exfiltration. HTTPTroy was first reported in October 2025. HTTPTroy has been observed in operations attributed to DPRK-affiliated threat actors, including Kimsuky. HTTPTroy has been delivered to victims through a separate loader leveraged by Kimsuky.[1]
S1149: CHIMNEYSWEEP
CHIMNEYSWEEP is a backdoor malware that was deployed during HomeLand Justice along with ROADSWEEP ransomware, and has been used to target Farsi and Arabic speakers since at least 2012.[1]
S0239: Bankshot
Bankshot is a remote access tool (RAT) that was first reported by the Department of Homeland Security in December of 2017. In 2018, Lazarus Group used the Bankshot implant in attacks against the Turkish financial sector. [1]
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 20bf67323498… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Wikipedia Binary-to-text Encoding
Wikipedia. (2016, December 26). Binary-to-text encoding. Retrieved March 1, 2017.
Open source URL -
[2]
Wikipedia Character Encoding
Wikipedia. (2017, February 19). Character Encoding. Retrieved March 1, 2017.
Open source URL -
[3]
mitre-attack T1132.002Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.