T1665: Hide Infrastructure
Adversaries may manipulate network traffic in order to hide and evade detection of their C2 infrastructure. This can be accomplished by identifying and filtering traffic from defensive tools,[1] masking malicious domains to obfuscate the true destination from both automated scanning tools and security researchers,[2][3][4] and otherwise hiding malicious artifacts to delay discovery and prolong the effectiveness of adversary infrastructure that could otherwise be identified, blocked, or taken down entirely.
C2 networks may include the use of Proxy or VPNs to disguise IP addresses, which can allow adversaries to blend in with normal network traffic and bypass conditional access policies or anti-abuse protections. For example, an adversary may use a virtual private cloud to spoof their IP address to closer align with a victim's IP address ranges. This may also bypass security measures relying on geolocation of the source IP address.[5][6]
Adversaries may also attempt to filter network traffic in order to evade defensive tools in numerous ways, including blocking/redirecting common incident responder or security appliance user agents.[7][8] Filtering traffic based on IP and geo-fencing may also avoid automated sandboxing or researcher activity (i.e., Virtualization/Sandbox Evasion).[1][7]
Hiding C2 infrastructure may also be supported by Resource Development activities such as Acquire Infrastructure and Compromise Infrastructure. For example, using widely trusted hosting services or domains such as prominent URL shortening providers or marketing services for C2 networks may enable adversaries to present benign content that later redirects victims to malicious web pages or infrastructure once specific conditions are met.[9][10]
Analyst context for executives and security teams
Hide Infrastructure matters because it makes command-and-control harder to find, block, or take down. Instead of only hiding malware on an endpoint, the adversary may shape network traffic, use proxies or VPNs, present benign-looking domains, redirect selectively, or filter out security tools and researchers. For leaders, the practical issue is whether security decisions rely too heavily on IP reputation, geolocation, sandbox results, or one-time domain analysis.
Executive priority
Treat this as a resilience and investigation-readiness problem. If C2 infrastructure can look local, trusted, or benign until specific conditions are met, then incident response, managed detection, cloud access policy, and takedown workflows need evidence beyond simple blocklists. Executives should ask whether conditional access depends too much on source IP or geography, whether SOC teams can reconstruct redirect chains and proxy/VPN use, and whether network-device and cloud telemetry are retained long enough to support incident decisions and compliance evidence.
Technical view
ATT&CK places T1665 in command-and-control across ESXi, Linux, macOS, Network Devices, and Windows. The official detection field is not provided, but the relationship to DET0411 indicates a detection strategy exists. SOC and IR teams should validate visibility into traffic manipulation patterns described by MITRE: proxy or VPN use, source IP/geolocation alignment with victim ranges, user-agent based filtering, IP or geo-fenced responses, benign landing content that redirects only under certain conditions, and infrastructure using trusted hosting, URL shortening, or marketing services. Relationship context shows this behavior is linked to campaigns, groups, and software including SolarWinds Compromise, Quad7 Activity, Operation Digital Eye, APT29, ZIRCONIUM, DarkGate, UPSTYLE, and JumbledPath; use that context for threat-informed testing without assuming local exposure.
Likely telemetry
- DNS query and response logs, including domain age/reputation context where available
- Proxy, secure web gateway, and URL filtering logs with full URL, referrer, redirect chain, and user-agent fields
- Firewall, NetFlow, and network session metadata for outbound C2-like patterns and proxy/VPN paths
- Cloud and virtual private cloud network flow logs where cloud infrastructure or source-IP alignment is relevant
- Identity and conditional access logs showing source IP, geography, device context, and policy decisions
Detection direction
- Do not rely on a single indicator class such as domain, IP, ASN, geolocation, or sandbox verdict; validate behavior across DNS, HTTP/S, proxy, and identity context.
- Tune for mismatches between automated analysis and user-observed content, including domains that serve benign content to scanners but redirect selected users.
- Review user-agent, IP, and geography-dependent responses as potential evasion, while accounting for legitimate content delivery, localization, marketing, and anti-fraud controls as false-positive sources.
- Validate whether trusted services such as URL shorteners, hosting providers, or marketing platforms are logged with enough detail to expose the final destination, not just the first URL.
- Use relationship-driven threat intelligence to prioritize tests for network-device and cloud-adjacent visibility, especially where compromised infrastructure or VPN/proxy paths could bypass policy assumptions.
Mitigation priorities
- Reduce dependence on geolocation or source-IP trust alone in conditional access and anti-abuse decisions.
- Ensure egress monitoring and web controls capture full URL and redirect context for high-risk destinations and trusted intermediary services.
- Prioritize logging and hardening for internet-facing network devices and cloud network paths that could obscure or relay C2 traffic.
- Maintain incident response procedures for rapid enrichment, blocking, and takedown requests, but assume adversary infrastructure may present different content to responders.
- Use threat-informed validation against the ATT&CK relationship context to test whether current tools see proxy/VPN use, selective redirects, and scanner evasion.
Analyst notes and limits
The key decision value is coverage validation: can the organization distinguish normal use of proxies, VPNs, CDNs, URL shorteners, and marketing infrastructure from adversary attempts to hide C2? The supplied ATT&CK object also makes this relevant to identity policy design, cloud/network visibility, vulnerability prioritization for network devices, and IR evidence preservation.
MITRE does not provide official detection text for this technique in the supplied fields. The take is based on the official description, external references, and listed relationships only. Local conclusions require environment-specific telemetry, policy configuration, asset exposure, and threat intelligence validation.
Hide Infrastructure
Adversaries may manipulate network traffic in order to hide and evade detection of their C2 infrastructure. This can be accomplished by identifying and filtering traffic from defensive tools,[1] masking malicious domains to obfuscate the true destination from both automated scanning tools and security researchers,[2][3][4] and otherwise hiding malicious artifacts to delay discovery and prolong the effectiveness of adversary infrastructure that could otherwise be identified, blocked, or taken down entirely.
C2 networks may include the use of Proxy or VPNs to disguise IP addresses, which can allow adversaries to blend in with normal network traffic and bypass conditional access policies or anti-abuse protections. For example, an adversary may use a virtual private cloud to spoof their IP address to closer align with a victim's IP address ranges. This may also bypass security measures relying on geolocation of the source IP address.[5][6]
Adversaries may also attempt to filter network traffic in order to evade defensive tools in numerous ways, including blocking/redirecting common incident responder or security appliance user agents.[7][8] Filtering traffic based on IP and geo-fencing may also avoid automated sandboxing or researcher activity (i.e., Virtualization/Sandbox Evasion).[1][7]
Hiding C2 infrastructure may also be supported by Resource Development activities such as Acquire Infrastructure and Compromise Infrastructure. For example, using widely trusted hosting services or domains such as prominent URL shortening providers or marketing services for C2 networks may enable adversaries to present benign content that later redirects victims to malicious web pages or infrastructure once specific conditions are met.[9][10]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Groups, software, and campaigns
G0128: ZIRCONIUM
G0016: APT29
APT29 is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).[1][2] They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. APT29 reportedly compromised the Democratic National Committee starting in the summer of 2015.[3][4][5][6]
In April 2021, the US and UK governments attributed the SolarWinds Compromise to the SVR; public statements included citations to APT29, Cozy Bear, and The Dukes.[7][8] Industry reporting also referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, Dark Halo, and SolarStorm.[9][10][11][12][13][14]
S1206: JumbledPath
JumbledPath is a custom-built utility written in GO that has been used by Salt Typhoon since at least 2024 for packet capture on remote Cisco devices. JumbledPath is compiled as an ELF binary using x86-64 architecture which makes it potentially useable across Linux operating systems and network devices from multiple vendors.[1]
S1111: DarkGate
DarkGate first emerged in 2018 and has evolved into an initial access and data gathering tool associated with various criminal cyber operations. Written in Delphi and named "DarkGate" by its author, DarkGate is associated with credential theft, cryptomining, cryptotheft, and pre-ransomware actions.[1] DarkGate use increased significantly starting in 2022 and is under active development by its author, who provides it as a Malware-as-a-Service offering.[2]
S1164: UPSTYLE
C0055: Quad7 Activity
Quad7 Activity, also known as CovertNetwork-1658 or the 7777 Botnet, is a network of compromised small office/home office (SOHO) routers. [1] [2] The botnet was initially composed primarily of TP-Link routers and was named Quad7 due to compromised devices exposing TCP port 7777 with the distinctive banner xlogin. Later activity showed a significant increase in compromised Asus routers and the addition of new ports and banners, including TCP port 63256 displaying alogin. Quad7 infrastructure functions as a collection of egress IPs that various China-affiliated threat actors have used to conduct password-spraying and brute-force operations. [1][3] Microsoft has reported that Storm-0940 leveraged credentials obtained through Quad7 Activity to target organizations in North America and Europe, including government agencies, non-governmental organizations, think tanks, law firms, energy firms, IT providers, and defense industrial base entities. [2]
C0024: SolarWinds Compromise
The SolarWinds Compromise was a sophisticated supply chain cyber operation conducted by APT29 that was discovered in mid-December 2020. APT29 used customized malware to inject malicious code into the SolarWinds Orion software build process that was later distributed through a normal software update; they also used password spraying, token theft, API abuse, spear phishing, and other supply chain attacks to compromise user accounts and leverage their associated access. Victims of this campaign included government, consulting, technology, telecom, and other organizations in North America, Europe, Asia, and the Middle East. This activity has been labled the StellarParticle campaign in industry reporting.[1] Industry reporting also initially referred to the actors involved in this campaign as UNC2452, NOBELIUM, Dark Halo, and SolarStorm.[2][3][4][5][1][6][7][8]
In April 2021, the US and UK governments attributed the SolarWinds Compromise to Russia's Foreign Intelligence Service (SVR); public statements included citations to APT29, Cozy Bear, and The Dukes.[9][10][11] The US government assessed that of the approximately 18,000 affected public and private sector customers of Solar Winds’ Orion product, a much smaller number were compromised by follow-on APT29 activity on their systems.[12]
C0061: Operation Digital Eye
Operation Digital Eye was conducted in June and July of 2024 by suspected People's Republic of China (PRC)-nexus threat actors targeting business-to-business IT service providers in Southern Europe. Operation Digital Eye activity included the use of Visual Studio Code tunnels for command and control (C2) and custom lateral movement capabilities. Overlaps in tooling between Digital Eye and previous China-nexus campaigns, Operation Soft Cell and Operation Tainted Love, indicate the potential use of shared vendors or digital quartermasters.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | 203dd0b3cc27… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
TA571
Axel F, Selena Larson. (2023, October 30). TA571 Delivers IcedID Forked Loader. Retrieved February 13, 2024.
Open source URL -
[2]
Schema-abuse
Nick Simonian. (2023, May 22). Don't @ Me: URL Obfuscation Through Schema Abuse. Retrieved February 13, 2024.
Open source URL -
[3]
Facad1ng
Spyboy. (2023). Facad1ng. Retrieved February 13, 2024.
Open source URL -
[4]
Browser-updates
Dusty Miller. (2023, October 17). Are You Sure Your Browser is Up to Date? The Current Landscape of Fake Browser Updates . Retrieved February 13, 2024.
Open source URL -
[5]
sysdig
Sysdig. (2023). Sysdig Global Cloud Threat Report. Retrieved March 1, 2024.
Open source URL -
[6]
Orange Residential Proxies
Orange Cyberdefense. (2024, March 14). Unveiling the depths of residential proxies providers. Retrieved April 11, 2024.
Open source URL -
[7]
mod_rewrite
Bluescreenofjeff.com. (2015, April 12). Combatting Incident Responders with Apache mod_rewrite. Retrieved February 13, 2024.
Open source URL -
[8]
SocGholish-update
Andrew Northern. (2022, November 22). SocGholish, a very real threat from a very fake update. Retrieved February 13, 2024.
Open source URL -
[9]
StarBlizzard
Microsoft Threat Intelligence. (2023, December 7). Star Blizzard increases sophistication and evasion in ongoing attacks. Retrieved February 13, 2024.
Open source URL -
[10]
QR-cofense
Nathaniel Raymond. (2023, August 16). Major Energy Company Targeted in Large QR Code Phishing Campaign. Retrieved February 13, 2024.
Open source URL -
[11]
mitre-attack T1665Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.