T1565.002: Transmitted Data Manipulation
Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity, thus threatening the integrity of the data.[1][2] By manipulating transmitted data, adversaries may attempt to affect a business process, organizational understanding, and decision making.
Manipulation may be possible over a network connection or between system processes where there is an opportunity deploy a tool that will intercept and change information. The type of modification and the impact it will have depends on the target transmission mechanism as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.
Analyst context for executives and security teams
Transmitted Data Manipulation is an integrity-focused impact technique: the adversary changes data while it is moving between systems or processes, so downstream systems, people, or business workflows act on false information. For leaders, the risk is not just data loss; it is corrupted decisions, hidden activity, and disrupted business processes on Linux, macOS, and Windows environments.
Executive priority
Prioritize this where business outcomes depend on trusted data in transit: payment flows, operational reporting, message handling, inter-system transfers, and regulated records. The key executive question is whether the organization can prove that important data was transmitted unchanged, and whether SOC/IR teams can reconstruct what changed, where, and by whom. Because ATT&CK provides no official detection text for this object, coverage should be treated as a validation exercise rather than assumed.
Technical view
This is an impact sub-technique of Data Manipulation (T1565) affecting Linux, macOS, and Windows. ATT&CK describes manipulation over network connections or between system processes, potentially requiring knowledge of the target transmission mechanism. SOC and IR teams should validate visibility across data movement paths, intermediary hosts, application services, and process-to-process handoffs. Relationship context links this technique to detection strategy DET0254 and mitigation M1041, Encrypt Sensitive Information, but the supplied object does not include detailed detection logic.
Likely telemetry
- Network flow, proxy, gateway, and secure transport logs for critical data paths
- Application, API, message queue, and transaction logs showing sent versus received values
- Endpoint process execution and service activity on systems that broker or transform transmitted data
- File, database, or storage write logs for data received from other systems
- Integrity evidence such as hashes, signatures, checksums, sequence numbers, or reconciliation records where implemented
Detection direction
- Map critical business data flows and confirm telemetry exists at both sender and receiver, not only at the network perimeter.
- Compare transmitted, received, and stored values where integrity checks or reconciliation records are available.
- Tune for unauthorized intermediaries, unexpected data transformation services, process injection or proxy-like behavior on broker systems, and anomalies in transaction sequencing or validation failures.
- Account for false positives from legitimate middleware, ETL jobs, format conversion, retries, and business-rule transformations.
- Use relationship context carefully: ATT&CK associates APT38 and several software entries with this technique, but local detection should be driven by protected data flows and observed telemetry, not attribution assumptions.
Mitigation priorities
- Apply strong protection for sensitive information in transit and during processing, aligned to M1041 Encrypt Sensitive Information.
- Prioritize integrity controls for high-value workflows: authenticated transport, signing, checksums, validation at receipt, and reconciliation between source and destination records.
- Restrict and monitor systems, services, and identities that can relay, transform, or write transmitted data.
- Document critical data paths for incident response so teams can quickly determine whether manipulation occurred and what business decisions may have been affected.
- Include integrity evidence in compliance and audit readiness, especially where transmitted records support financial, operational, or regulated decisions.
Analyst notes and limits
This object is most useful as a prompt to test end-to-end data integrity assumptions. ATT&CK places it under Impact and links it as a sub-technique of Data Manipulation. The prior T1493 technique is revoked by this object. ATT&CK relationships also list APT38 and software including LightNeuron, Metamorfo, Melcoz, and GlassWorm as using this behavior.
Official ATT&CK detection text is not provided, and the supplied DET0254 relationship does not include detection details. Specific indicators, affected protocols, and business impact depend on the local transmission mechanisms and applications. Do not infer current exploitation or coverage from the ATT&CK relationship list alone.
Transmitted Data Manipulation
Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity, thus threatening the integrity of the data.[1][2] By manipulating transmitted data, adversaries may attempt to affect a business process, organizational understanding, and decision making.
Manipulation may be possible over a network connection or between system processes where there is an opportunity deploy a tool that will intercept and change information. The type of modification and the impact it will have depends on the target transmission mechanism as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1565 | Data Manipulation | This object subtechnique of Data Manipulation. |
| Enterprise | T1493 | Transmitted Data Manipulation | Transmitted Data Manipulation revoked by this object. |
Groups, software, and campaigns
G0082: APT38
APT38 is a North Korean state-sponsored threat group that specializes in financial cyber operations; it has been attributed to the Reconnaissance General Bureau.[1] Active since at least 2014, APT38 has targeted banks, financial institutions, casinos, cryptocurrency exchanges, SWIFT system endpoints, and ATMs in at least 38 countries worldwide. Significant operations include the 2016 Bank of Bangladesh heist, during which APT38 stole $81 million, as well as attacks against Bancomext [2] and Banco de Chile [2]; some of their attacks have been destructive.[1][2][3][4]
North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.
S0530: Melcoz
S9010: GlassWorm
GlassWorm is a worm that propagated through supply chain attacks by compromising repository credentials from victim environments and having malicious payloads added to those compromised accounts for distribution to victims across the various development ecosystems.[1][2][3] GlassWorm has numerous variants, including Rust binaries, encrypted JavaScript and a variant leveraging invisible Unicode characters that made reverse engineering difficult.[4][1][5] GlassWorm has employed a unique command and control (C2) methodology using Solana blockchain.[6][1] GlassWorm was first reported in October 2025.[6][1][3]
S0395: LightNeuron
LightNeuron is a sophisticated backdoor that has targeted Microsoft Exchange servers since at least 2014. LightNeuron has been used by Turla to target diplomatic and foreign affairs-related organizations. The presence of certain strings in the malware suggests a Linux variant of LightNeuron exists.[1]
S0455: Metamorfo
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 21438714a2df… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
FireEye APT38 Oct 2018
FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 17, 2024.
Open source URL -
[2]
DOJ Lazarus Sony 2018
Department of Justice. (2018, September 6). Criminal Complaint - United States of America v. PARK JIN HYOK. Retrieved March 29, 2019.
Open source URL -
[3]
mitre-attack T1565.002Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.