| S0622 |
AppleSeed |
AppleSeed has divided files if the size is 0x1000000 bytes or more.[1] |
| G0007 |
APT28 |
APT28 has split archived exfiltration files into chunks smaller than 1MB.[2] |
| G0096 |
APT41 |
APT41 transfers post-exploitation files dividing the payload into fixed-size chunks to evade detection.[3] |
| C0015 |
C0015 |
During C0015, the threat actors limited Rclone's bandwidth setting during exfiltration.[4] |
| C0026 |
C0026 |
During C0026, the threat actors split encrypted archives containing stolen files and information into 3MB parts prior to exfiltration.[5] |
| S0030 |
Carbanak |
Carbanak exfiltrates data in compressed chunks if a message is larger than 4096 bytes .[6] |
| S0154 |
Cobalt Strike |
Cobalt Strike will break large data sets into smaller chunks for exfiltration.[7] |
| S0170 |
Helminth |
Helminth splits data into chunks up to 23 bytes and sends the data in DNS queries to its C2 server.[8] |
| S0487 |
Kessel |
Kessel can split the data to be exilftrated into chunks that will fit in subdomains of DNS queries.[9] |
| S1020 |
Kevin |
Kevin can exfiltrate data to the C2 server in 27-character chunks.[10] |
| G1014 |
LuminousMoth |
LuminousMoth has split archived files into multiple parts to bypass a 5MB limit.[11] |
| S1141 |
LunarWeb |
LunarWeb can split exfiltrated data that exceeds 1.33 MB in size into multiple random sized parts between 384 and 512 KB.[12] |
| S0699 |
Mythic |
Mythic supports custom chunk sizes used to upload/download files.[13] |
| S0644 |
ObliqueRAT |
ObliqueRAT can break large files of interest into smaller chunks to prepare them for exfiltration.[14] |
| S0264 |
OopsIE |
OopsIE exfiltrates command output and collected files to its C2 server in 1500-byte blocks.[15] |
| G1040 |
Play |
Play has split victims' files into chunks for exfiltration.[16][17] |
| S0150 |
POSHSPY |
POSHSPY uploads data in 2048-byte chunks.[18] |
| S1040 |
Rclone |
The Rclone "chunker" overlay supports splitting large files in smaller chunks during upload to circumvent size limits.[19][4] |
| S0495 |
RDAT |
RDAT can upload a file via HTTP POST response to the C2 split into 102,400-byte portions. RDAT can also download data from the C2 which is split into 81,920-byte portions.[20] |
| S1200 |
StealBit |
StealBit can be configured to exfiltrate files at a specified rate to evade network detection mechanisms.[21] |
| G0027 |
Threat Group-3390 |
Threat Group-3390 actors have split RAR files for exfiltration into parts.[22] |