T1481.001: Dead Drop Resolver
Adversaries may use an existing, legitimate external Web service to host information that points to additional command and control (C2) infrastructure. Adversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redirected by these resolvers.
Popular websites and social media, acting as a mechanism for C2, may give a significant amount of cover. This is due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Use of a dead drop resolver may also protect back-end C2 infrastructure from discovery through malware binary analysis, or enable operational resiliency (since this infrastructure may be dynamically changed).
Analyst context for executives and security teams
Dead Drop Resolver matters because compromised mobile devices may contact legitimate web or social services to find current command-and-control infrastructure. For leaders, the risk is not just malware communication; it is that the traffic can blend into normal business use of common encrypted services, making blocking and investigation harder without disrupting users.
Executive priority
Prioritize this as a mobile security and incident response readiness issue. Ask whether Android and iOS device traffic to common web services is visible enough to support investigations, whether mobile app risk controls can identify suspicious external lookups, and whether response teams can distinguish acceptable use of popular services from malware using those services as C2 infrastructure pointers. This is especially relevant where mobile devices access sensitive business systems or regulated data.
Technical view
For SOC, detection engineering, and IR teams, validate visibility into mobile network connections from Android and iOS devices to legitimate external web services, especially where content may contain encoded or obfuscated domains or IP addresses. ATT&CK provides no official detection text for this sub-technique, but a related detection strategy exists: DET0617, Detection of Dead Drop Resolver. Relationship context shows Android malware examples using this behavior, including ANDROIDOS_ANSERVER.A, XLoader for Android, Anubis, Red Alert 2.0, and Android/SpyAgent, so Android telemetry should be a priority while not ignoring the listed iOS platform support.
Likely telemetry
- Mobile device network connection logs for Android and iOS
- DNS and web proxy records showing external service access from mobile devices
- TLS/SSL metadata where available, without assuming content inspection
- Mobile threat defense or endpoint telemetry for suspicious app network behavior
- App inventory and installation source data for mobile devices
Detection direction
- Validate whether DET0617 or equivalent analytics are implemented and tested for mobile environments.
- Look for mobile apps retrieving content from legitimate web services followed by connections to newly identified domains or IP addresses.
- Tune carefully because popular websites and social media can generate high false positives in normal business traffic.
- Account for SSL/TLS encryption, which may limit content visibility and require reliance on metadata, device context, app identity, and behavioral sequencing.
- Prioritize correlation between suspicious app installations, unusual external service access, and subsequent C2-like network destinations.
Mitigation priorities
- Strengthen mobile device management and mobile app governance for Android and iOS devices accessing business resources.
- Limit installation of untrusted or unnecessary mobile applications where business policy allows.
- Ensure mobile network, DNS, and proxy logging are retained long enough for incident response reconstruction.
- Define response playbooks for isolating or investigating mobile devices suspected of using legitimate web services for C2 resolution.
- Use threat-informed validation based on the related Android malware examples, while avoiding assumptions that those examples represent current activity in the local environment.
Analyst notes and limits
This object is a mobile ATT&CK sub-technique under Web Service. Its practical importance comes from adversaries hiding C2 infrastructure discovery inside normal-looking access to legitimate external services. The relationship set includes one detection strategy and multiple Android software examples, which supports Android-focused validation, while the technique itself is listed for both Android and iOS.
MITRE provides no official detection text and no tactic value in the supplied object. The related detection strategy is named but not described here. Local conclusions require environment-specific evidence such as mobile device ownership model, logging coverage, allowed app sources, proxy/DNS visibility, and business tolerance for restricting common web services.
Dead Drop Resolver
Adversaries may use an existing, legitimate external Web service to host information that points to additional command and control (C2) infrastructure. Adversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redirected by these resolvers.
Popular websites and social media, acting as a mechanism for C2, may give a significant amount of cover. This is due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Use of a dead drop resolver may also protect back-end C2 infrastructure from discovery through malware binary analysis, or enable operational resiliency (since this infrastructure may be dynamically changed).
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1481 | Web Service | This object subtechnique of Web Service. |
Groups, software, and campaigns
S0310: ANDROIDOS_ANSERVER.A
ANDROIDOS_ANSERVER.A is Android malware that is unique because it uses encrypted content within a blog site for command and control. [1]
S0539: Red Alert 2.0
Red Alert 2.0 is a banking trojan that masquerades as a VPN client.[1]
S0318: XLoader for Android
XLoader for Android is a malicious Android app first observed targeting Japan, Korea, China, Taiwan, and Hong Kong in 2018. It has more recently been observed targeting South Korean users as a pornography application.[1][2] It is tracked separately from the XLoader for iOS.
S1214: Android/SpyAgent
Android/SpyAgent is a variant of spyware in the MoqHao phishing campaign primarily targeting Korean and Japanese users.[1] Fake security applications were used to target Japanese users, while fake police applications were used to target Korean users. Both fake applications have common C2 commands and share the same crash report key on a cloud service.[1]
S0422: Anubis
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | 028c092d111b… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack T1481.001Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.