T1041

Exfiltration Over C2 Channel

discovered 2025-08-12

Collected data is exfiltrated as a gzip-compressed HTTPS POST to the path /api/v1/events, gated by a custom X-Secret header. The destination C2 host is RC4+XOR-concealed in the payload and was not statically resolved.

View on MITRE ATT&CK

Seen in packages

Campaigns