Operation DragonReturn: China-Nexus Cyber Espionage Campaign Targeting Govt. of India/MoF Tax Infrastructure via Multi-Stage DcRAT Deployment

Authors: Dixit Panchal & Soumen Burma

Table of Contents:

• Introduction:
• Key Targets:
• Infection Chain:
• Initial Findings about Campaign:
  • Initial Mail:
  • Email Attachment:
  • Lure: Official GoI, Income Tax Document:
• Technical Analysis:
• Infrastructural Artefacts & Threat actor Attributions.
• Campaign Timeline.
• Conclusion:
• Seqrite Coverage:
• IOCs:
• MITRE ATT&CK:

Introduction:

Seqrite Lab actively tracks and analyse threat actors and their campaigns, focusing on attribution, infrastructure analysis, and adversary tradecraft. Throughout our research, we have attributed numerous operations to China-aligned threat clusters targeting both regional and international entities.

As part of our latest investigation, we uncovered a campaign that demonstrates operational and technical similarities to a China-nexus threat cluster. Further analysis revealed overlapping TTPs with a prominent and highly active threat actor known for conducting cyber-espionage operations against Asian countries through the deployment of RAT-based malware.

Key Targets:

Geographic Focus: India (Pan-India taxpayer base)

• Corporate Companies & Businesses.
• Individual Taxpayers.
• Tax Professionals & CAs.
• Government Contractors.
• Tax Consultants & Filing Agents.
• Corporate Finance & Accounts Teams.

Infection Chain:

Initial Findings about Campaign:

A sophisticated and actively maintained phishing campaign has been identified targeting Indian taxpayers, tax professionals, and corporate finance teams by impersonating the Income Tax Department of the Ministry of Finance, Government of India. The campaign was first observed on May 18, 2026, and remains active as of June 17, 2026, with the latest payload variant achieving a 0/66 detection rate on VirusTotal, indicating the threat actor is actively maintaining and rotating malicious payloads to evade detection.

The campaign exploits the AY2026-27 ITR filing season by cloning a legitimate government utility filename, making it exceptionally difficult for even security-aware users to distinguish the malicious file from the genuine one.

This campaign is classified as a Spear Phishing to Malware Delivery operation with APT-style characteristics which based on TTPs Seqrite Lab has observed. It is not opportunistic -the precision of the lure document, the use of real legal citations, bilingual content, and active payload rotation indicate a deliberate, resourced, and sustained threat operation focused exclusively on the Indian taxpayer ecosystem. The primary objective is assessed to be malware deployment for financial gain or sensitive data theft, with a threat level rated as Critical.

Initial mail:

We observed an email impersonating the Income Tax Department, Government of India, containing an attachment related to a tax notification. The attacker appears to be using this attachment to create a sense of urgency and encourage recipients to open the file, potentially leading to malicious activity.

Email attachment:

The attachment contains an embedded URL, govtop[.]one/incometax. When a user clicks on the link, they are redirected to a webpage designed to appear legitimate and generate trust. This lure page encourages users to download files from the URL, potentially exposing them to malicious content.

Lure: Official GoI, Income Tax Document.

The Page impersonates an official Office Memorandum bearing the Government of India emblem, bilingual Hindi-English formatting consistent with genuine government communications, and a fabricated reference number No. TAX/PEN/2026-142. It cites real and legally significant sections of the Income Tax Act -Section 271(1)(c) for concealment of income penalties and Section 276C for prosecution of tax evasion -lending significant credibility to the document. A fake signatory, Raj Kumar Sharma, Assistant Commissioner of Income Tax, is included along with a spoofed official email address.

Technical Analysis:

Upon downloading the ZIP file, we observed that it was named “Common_Offline_Utility_ITR-1_to_4_AY2026-27.zip”, which closely matches the naming convention of the legitimate offline utility provided by the Income Tax Department of India. This official tool is commonly used by taxpayers and tax professionals to prepare and file income tax returns offline before uploading them to the e-filing portal.

The threat actor appears to have leveraged the trust associated with this legitimate utility by using a similar file name as part of the attack chain. By mimicking an official Income Tax Department resource, the attacker increases the likelihood that recipients will perceive the file as genuine and proceed with downloading and executing it, thereby facilitating the delivery of the malicious payload.

Upon execution, the malicious executable spawns multiple cmd.exe processes that leverage the Windows Service Control (sc.exe) utility to create a service named MixedSvc. The service is configured to execute “C:\Program Files\Windows Media Player\Mixed Reality.exe” and is set to start automatically at system boot. To evade suspicion, the threat actor assigns the service the display name “Windows Mixed Reality Service” and a legitimate-looking description. The service is then immediately started, providing both execution and persistence for the malware payload. This behavior indicates an attempt to establish long-term access while masquerading as a legitimate Windows component.

Initial analysis, the executable COU_ITR-1_to_4_AY2026-27.exe appears to be a lightweight launcher that imports and invokes the exported functions injection_initialize() and injection_terminate() from the accompanying DLL nvdaHelperRemote.dll. The WinMain() function contains minimal logic and ultimately calls a routine that resolves to the standard C Runtime function fgetc_nolock(), indicating that the EXE itself does not contain the primary functionality.

Upon analysis of nvdaHelperRemote.dll we found that it is injecting another payload into the memory. By adding breakpoint in VirtualAlloc we found another injected payload.

Analysis of injected payload

Upon analysis we found that the routine first checks whether it is running with administrative privileges using CheckTokenMembership(). If elevated privileges are not available, it relaunches itself using ShellExecuteW() with the “runas” verb, triggering a UAC prompt before terminating the original process. The malware then enforces single-instance execution by creating a global event named Global\ShitSetupOn26126k and terminating if an existing instance is detected.

Following successful initialization, the malware spawns two worker threads through a thread creation wrapper, invoking the routines sub_1800015A0() and sub_180001000(). These functions are likely responsible for the primary malicious activities. Finally, the process remains active for approximately five minutes using Sleep(300000), allowing the worker threads to continue execution.

The function sub_1800015A0() serves as an anti-analysis and environment validation routine. It performs multiple timing checks using GetTickCount64() and short sleep intervals to detect sandbox acceleration, debugger interference, or API hooking. Such techniques are commonly employed by malware to evade automated analysis environments and ensure execution only on a real host system.

The function sub_180001000() acts as the malware’s primary installation and persistence component. It first prepares the environment by deleting previous artifacts and creating a working directory under C:\Program Files\Windows Media Player. The malware then downloads a file named lllyd.jpg from the hardcoded IP address 204.194.48.250 and stores it as C:\Windows\background.jpg. Analysis shows that this image file is used as a container for a secondary payload, from which a 504 KB DLL is extracted and written to C:\Program Files\Windows Media Player\nvdaHelperRemote.dll.

After extracting the payload, the malware copies itself as Mixed Reality.exe and establishes persistence by creating a Windows service named MixedSvc, configured to start automatically on system boot. The service is disguised as a legitimate Windows Mixed Reality component through its name and description. Once persistence has been successfully established and the service started, the installer terminates the current process. This behaviour confirms that the sample functions as a downloader and installer, using image-based payload concealment and Windows service persistence to maintain long-term access to the infected system.

2^nd Payload analysis (Mixed Reality.exe):

The malware establishes persistence by masquerading as a legitimate Windows component. The downloader copies itself to C:\Program Files\Windows Media Player\Mixed Reality.exe and extracts a secondary payload, nvdaHelperRemote.dll, from a remotely downloaded image file. To ensure automatic execution after system restart, it creates a Windows service named MixedSvc with the display name Windows Mixed Reality Service, leveraging a trusted-looking location and naming convention to evade user suspicion

Upon debugging again, we found we found the injected payload

Upon analysis the injected payload we found that

The analysed function begins by DE obfuscating several strings using a simple XOR operation (^ 0x18 and ^ 0x02). These strings are subsequently used to dynamically resolve critical Windows APIs through LoadLibraryA() and GetProcAddress(). The resolved APIs correspond to native memory management and process manipulation functions that are commonly leveraged during process injection.

The malware then opens and reads an embedded resource or payload from disk, allocating memory and copying approximately 166 KB of decrypted shellcode/PE data into a newly created buffer. A custom decryption routine (sub_180001000) is applied to the extracted data before the original buffer is released. Following payload preparation, the malware enumerates running processes using CreateToolhelp32Snapshot() and searches specifically for svchost.exe.

Upon locating a target svchost.exe process, the malware obtains a handle with full access permissions and allocates executable memory within the remote process. The decrypted payload is written into the allocated region using a dynamically resolved memory-writing API. Execution is then transferred to the injected code by creating a remote thread within the target process. After successful injection, the malware terminates its own process, leaving the malicious payload executing under the context of svchost.exe.

Upon analysing the injected payload, we found the malware begins by waiting for the presence of nvdaHelperRemote.dll within the Windows Media Player directory, indicating synchronization with another stage of the malware. Once the DLL becomes available, the malware opens and reads data from C:\Windows\background.jpg, which serves as a container for embedded malicious payloads rather than a legitimate image file.

Once the payloads are prepared, the malware continuously enumerates Terminal Services (WTS) sessions using WTSEnumerateSessionsW(). For every active user session discovered, it checks for the presence of predefined marker files. If these files do not exist, the malware invokes sub_1400011E0(), which likely launches or injects one of the decrypted payloads into the corresponding user session. Two separate payloads are deployed, suggesting distinct functional components such as a backdoor, remote-access module, credential stealer, or surveillance component.

Also To maintain operational awareness, the malware periodically writes a status value to a hidden file named C:\debug.txt. The file contents follow the format client=<id>, where the client identifier appears to represent a session, victim, or payload instance. The file is then assigned hidden/system attributes to avoid casual discovery.

Now we found that malware reads background.jpg and decrypts and Extracts Payload A (~1.13 MB)

Payload B (~1.15 MB)

Analysis of Payload A

The primary objective of the loader serves as the primary execution routine and reveals a sophisticated .NET malware loader. The sample performs multiple anti-analysis checks, disables Windows AMSI scanning, decrypts an embedded .NET assembly, loads the CLR runtime, and executes the decrypted payload directly from memory.

Anti-Analysis and AMSI Bypass

At startup, the malware creates a lock file and performs extensive looping around GetModuleHandleA() and GetSystemInfo(), likely to delay execution and frustrate automated sandboxes. It then checks whether amsi.dll is loaded and patches the AmsiOpenSession() function in memory using VirtualProtect(). By overwriting instructions within AMSI, the malware effectively disables antimalware scanning of subsequent .NET code, allowing malicious assemblies to execute without being inspected by Windows Defender.

Payload Decryption

The malware retrieves an encrypted payload from an embedded resource (qword_1400C4020) and decrypts it using the Windows Cryptography API: Next Generation (CNG). Specifically, it opens the AES algorithm provider (BCryptOpenAlgorithmProvider), creates a symmetric key from a hardcoded 16-byte key, and decrypts the payload using BCryptDecrypt(). The resulting decrypted buffer contains a managed .NET assembly that will later be executed in memory.

CLR Initialization and In-Memory Execution

After decrypting the payload, the malware dynamically loads the .NET Common Language Runtime (CLR) using CLRCreateInstance(). It obtains the runtime interface for .NET Framework v4.0.30319, verifies that the runtime is loadable, starts the CLR, and acquires the default application domain. The decrypted assembly is copied into a SAFEARRAY and loaded directly into memory via AppDomain::Load_3(), avoiding the need to write the payload to disk. The malware then retrieves the assembly’s entry point using Assembly::get_EntryPoint() and executes it through MethodInfo::Invoke_3(). This technique enables fully fileless execution of the malicious .NET payload.

Persistence and Environment Preparation

The sample also performs registry operations using RegOpenKeyExA(), RegCreateKeyExA(), and RegSetValueExA(), indicating the creation of configuration or persistence-related registry values. Additionally, it invokes DPI-awareness APIs (SetProcessDpiAwarenessContext, SetProcessDpiAwareness, and SetProcessDPIAware) to ensure correct behavior across different Windows display environments.

Analysis of extracted .net payload of Payload A

Anti analysis technique

This is a common anti-analysis technique: instead of crashing or exiting, the malware simply sleeps forever when it believes it is running in a VM or sandbox.

C2 connection

The malware creates an SSL/TLS stream (System.Net.Security.SslStream) over the existing TCP socket, indicating that all subsequent communications with the C2 server are encrypted. The remote endpoint resolves to 223.26.63.40:2671, which is the active command-and-control (C2) server at the time of execution.  The string “ikkkkddd.com” is present in memory, suggesting it is the configured domain or hostname associated with the C2 infrastructure.

After the TLS session is established (ClientSocket.KKNV7m8G(4L)), the malware invokes functions to initialize communication, transmit system information (Sender.SendInfo()), and starts a periodic keep-alive timer (KeepAlivePacket) to maintain the connection with the C2 server.

Victim Registration and Initial System Fingerprinting

After successfully establishing an encrypted TLS connection with its command-and-control (C2) server, the malware performs an extensive reconnaissance phase to profile the compromised system. The IdSender.SendInfo() routine collects a wide range of host information, including the victim’s hardware identifier (HWID), username, operating system version and architecture, executable path, malware version, privilege level, active window title, installed antivirus products, executable timestamp, campaign group, operator note, and system idle time.

To hinder static analysis, all MessagePack field names are resolved at runtime through string deobfuscation before being populated with the collected data. The gathered information is then organized into a MessagePack object, creating a structured registration packet that uniquely identifies the infected host and provides operators with valuable environmental details for subsequent stages of the attack.

Before transmitting the registration data, the malware serializes the Message Pack object into a binary stream and compresses it using a ZIP-based compression routine. This compressed payload is then sent through the previously established TLS-encrypted communication channel, reducing network overhead while adding an additional layer of obfuscation to the transmitted data. During dynamic analysis, the captured registration packet confirmed that the malware successfully transmitted key victim information—including the HWID, username, operating system details, executable path, administrator privileges, installed security products, and execution timestamp—to the remote C2 server. This registration mechanism enables attackers to inventory newly compromised systems, evaluate their security posture, and determine suitable follow-on actions such as command execution, credential theft, or additional payload deployment.

Analysis of Payload B:

Desktop Capture and Data Exfiltration Capabilities

The embedded desktop capture (dsc_*) library indicates the capability to capture the victim’s screen, while the integrated TurboJPEG library (tjInitCompress, tjCompress2, tjFree, and tjDestroy) enables rapid JPEG encoding of captured images. Additionally, the inclusion of zlib compression functions (compress2 and uncompress) suggests that the malware compresses screenshots or other collected data before transmission, reducing bandwidth usage and improving the efficiency of C2 communications.

Based on the imported libraries and initialization sequence, Payload B likely provides:

• Screen capture using the embedded desktop capture library (dsc_* exports).
• Image compression using TurboJPEG for efficient screenshot encoding.
• General data compression/decompression using zlib (compress2/uncompress).

C2 Communication Controller and Session Management

The function sub_140001730 serves as the primary controller thread for Payload B, orchestrating the malware’s communication lifecycle rather than performing surveillance tasks directly. It begins by allocating a connection object and repeatedly resolving the hardcoded command-and-control (C2) domain kkxqbh.top until a valid IP address is obtained, allowing the malware to recover automatically from temporary network outages. Once the domain is successfully resolved, the malware converts the returned IP address into a usable format and attempts to establish a connection with the remote server. Upon successful connection, it creates a dedicated communication thread (sub_140001710) responsible for handling C2 traffic while the controller thread periodically monitors the connection state.

Infrastructural Artefacts & Threat actor Attributions

Attribution has always been one of the most challenging aspects of threat research, particularly for analysts involved in APT hunting and campaign investigations. Based on the available artifacts, infrastructure overlaps, and additional technical evidence, we have attributed this campaign with a moderate – High level of confidence.

During the initial stages of the investigation, we observed that three different IP addresses were used to host and deliver the first-stage payload, which was disguised as a .JPG image file. The identified IP addresses are listed below:

Further analysis of the infrastructure revealed that the identified IP addresses were hosted across two Autonomous Systems. Specifically, the infrastructure leveraged by the threat actor was associated with AS152194 (CTG Server Limited) and AS140869 (Turing Group Limited). The use of infrastructure within these providers suggests a deliberate effort to distribute malicious resources across multiple hosting environments, potentially to enhance operational resilience and complicate attribution efforts.

Upon further pivoting on the identified infrastructure, particularly the IP addresses 118.107.0.197 and 27.50.54.191, we observed a common infrastructure pattern. Both IP addresses were associated with the same Autonomous System Number (ASN), indicating a potential operational overlap in the threat actor’s infrastructure. This shared ASN relationship provides an additional infrastructure linkage that may assist in understanding the campaign’s hosting strategy and attribution assessment.

As shown in the above screenshot, we identified several Chinese-language strings within the infrastructure, which prompted further investigation into a potential China-linked nexus. We also observed infrastructure and TTP overlaps with activity previously associated with the China-aligned threat actor Silver Fox. Based on these overlaps and supporting artifacts, we assess with medium-to-high confidence that this campaign is likely linked to a China-aligned threat cluster.

Furthermore, in our investigation we have found another IP which having the relation with below domain which also having the same infrastructure.

Infrastructure analysis revealed that the IP address 223.26.63.40 is hosted under AS152194 (CTG Server Limited) and exposes a Chinese-language web management panel (“豪凌1.6 – Web管理面板”). Further pivoting on this infrastructure identified multiple associated domains, including 1kkkkddd.com, simaqz.com, and jiayingjing.com, indicating the presence of a broader infrastructure cluster.

Further enrichment of the infrastructure associated with kkxqbh[.]top revealed that several resolved IP addresses, including 117.44.201.119, are in Nanchang, Jiangxi Province, China and belong to AS4134 (CHINANET BACKBONE), operated by China Telecom’s Jiangxi provincial network.

The repeated use of infrastructure hosted within ChinaNet (AS4134), combined with previously identified Chinese-language artifacts, infrastructure overlaps, and TTP similarities, further strengthens our assessment of a China-aligned threat nexus. While geographic location and hosting infrastructure alone do not constitute definitive attribution, these findings provide additional supporting evidence and contribute to our medium-to-high confidence assessment.

Campaign Timeline

Operation DragonReturn was first observed on May 18, 2026, with the threat actor demonstrating rapid operational responsiveness by rotating payloads every 7-10 days across five distinct variants throughout May and June 2026. The spear phishing email carrying the malicious PDF was observed actively distributed in the wild on June 10, 2026, with the malicious ZIP payload packaged and deployed the following day. The campaign reached its most critical phase on June 12, 2026, when the latest payload variant achieved a 0/66 detection rate across all antivirus engines, rendering signature-based detection entirely ineffective. As of June 17, 2026, Operation DragonReturn remains fully active with all submissions confirmed from India, indicating this is an ongoing and actively maintained China-Nexus cyber espionage operation with no signs of slowdown.

Conclusion:

Operation DragonReturn represents a sophisticated and actively maintained China-Nexus cyber espionage campaign deliberately engineered to exploit the AY2026-27 ITR filing season, targeting GoI Tax Infrastructure including corporate entities, tax professionals, chartered accountants, and individual taxpayers across India. The threat actor demonstrated significant operational maturity through precision social engineering via GoI-impersonating lure documents, purpose-built malicious infrastructure hosted on govtop[.]one, and a multi-stage DcRAT deployment chain leveraging steganographic payload concealment within background.jpg, fileless .NET execution, AMSI bypass, Windows service persistence under the guise of Mixed Reality Service, and encrypted TLS-based C2 communications across 223[.]26.63.40:2671 and kkxqbh[.]top -all while actively rotating payloads to maintain a 0/66 VirusTotal detection rate, confirming this is not an opportunistic attack but a deliberate, resourced, and sustained espionage operation with the primary objective of establishing long-term covert access to high-value Indian government financial infrastructure for intelligence collection, credential theft, and systematic data exfiltration.

Seqrite Coverage:

• Malware.Ulise
• Trojan.Ulise
• Trojan.Phonzy
• Trojan.Ravartar
• Trojandownloader.Smallao
• Trojan.InjectorCiR

IOCs:

2f2f8f92af86fb962c30c4c1c9d673f9d94886373d0fcf78f8d105c051ffc643

1787d1119cd3b40e0e5f19d62821958b7d5c2bbe0518bf1e3fb2e44fdeb4fa58

19ca5fe04ca45a18c5bad9658ff73a8f39fe20ced78f690595f1b4c5a90af324

2f72f4b71e33c80f122dbe5360a8d687577260567d4b59cf8c07ee2182e8ceba

4a040770fd81d0db9e04cb8dbd2e07e61969072962bb4e736b7c7001444cc2fa

696f6a1a0fbf7b4ff977cc36382f6d2bc6d7813ed84b0195d925d1f46c24568c

6c774188a54ae07ae896abdf1ea6695cc29f529388888665e05322af3e9178e1

6c9ae8a979ad18da2927ae4fdbd73d3c870ead4ea3d437656a3bdcc81b85a050

8ed95259300ca268279867d2999d9c4f6585c6c45308635fc39af87da27546b5

9e73cd733707e5f7c9091147b029a6974b985d6c90a9cc2cb47bc0ae8a0f9245

c6fc06db6a1318152c09200352b40c8fa794f1089988835c1df92174347be8ec

e6346e3087db2bfba4551fcf89d94ae49aa92dc22f0ec2b718187a96e3a3b83c

fc17d5b4d64cb61a5aa8fb6bbe1e94885f129b2bf8ee91bca1ccca2b537f6616

40593369e14c9ab7b5e2fd186a580dbcd790ebb902f3aedc12c92cd617302960

ec5d4103b3d97885e9575ad045b2ef5467bf9fccf71828e418e6488d78983146

133e4d3f1dcd99a35fec92ad13bafa3790b6d585f8ec46527fe0ae01da98ad22

5a00485968679dc0ed6d80b659f48287603864c223e952918d2c2aaddfa2d280

6751ad8d0aeb6ac67cd54ea42657ce1f16addc3e3111f9e60b11931ebf58e77d

7e142c8fa614cc39d0453aa648b12209821c6bcbb77ee02094f70161b40d50ae

879cfe23a96e822f3873fd90a37d548d7975ba0552ce28527d3d1e292000c59b

eccff5c026a01cbe91db45cd0289f8822985aa5183f096d8add69762696d100d

fdd9752f4bb03762828e2e2bb6ec26c5f05a664dc28e02457685ddb3650d3e95

a8614dfad5fd2a79302a7c4829a0fed6f3a0a46b11beb28f89531cdfa83d32b3

03d2b73ecde0575a1e5ea24d6e4f12987cc081c0bc22dadf8c4219e8e38ca6e0

589aa1f7252cae74538343cd35443c0a8f58ed280f2016918b6e539a0c09529a

590a75978ab33a97280be1e2ae62a2e416ada45a11bc3f1cb77c99f3eb542b4e

5e97f7c17bf0466355be0438c7cc3e2e4d125e31368f2fbcb8e1d79cb97f137a

8673ce317876e6c3fe868c98524a3b2ae86a79b737536b865f044a52d16a7193

b0fcd7d9396e70b89e8292f6b80f933607b6fc9a9d3d4dd4ca69b408a2625932

b4fb231356254426e340ab1dba50fa37a69859fc4e8a2dbdfc3e1db082006847

c6651d6ce31c3a00357e579981d48c0da942b5bbe1582bf3d612a07dc3bc0ff6

db946f3f2b409370d14a6e69cf029f2818985f19320fa09b63bd3268dc830b02

34d1231a3bf1e13a9b90daecb5c74d52aea94ca54427b203d77e1adc61a5c4f9

2c0de3d5432d5a14cb03936a460ceb633b53a51881c4fa4f3dfa87fedef2148e

C2:

• govtop[.]one/incometax
• 194.48.250
• 107.0.197
• 50.54.191
• 26.63.40:2671
• Ikkkkddd[.]com
• Kkxqbh[.]top

 

MITRE ATT&CK:

Tactic	Technique Name	Technique ID
Initial Access	Spearphishing Attachment	T1566.001
	Spearphishing Link	T1566.002
Execution	User Execution: Malicious File	T1204.002
	Command and Scripting Interpreter: Windows Command Shell	T1059.003
	Native API	T1106
Persistence	Create or Modify System Process: Windows Service	T1543.003
	Registry Run Keys / Startup Folder	T1547.001
Privilege Escalation	Abuse Elevation Control Mechanism: UAC Bypass / Runas	T1548.002
Defense Evasion	Obfuscated Files or Information	T1027
	Deobfuscate/Decode Files or Information	T1140
	Process Injection	T1055
	Reflective Code Loading / In-Memory Execution	T1620
	Impair Defenses: AMSI Bypass	T1562.001
	Masquerading	T1036
	Virtualization/Sandbox Evasion	T1497
Discovery	System Information Discovery	T1082
	Process Discovery	T1057
	Security Software Discovery	T1518.001
	System Owner/User Discovery	T1033
	Application Window Discovery	T1010
Collection	Screen Capture	T1113
	Data from Local System	T1005
Command and Control	Encrypted Channel	T1573
	Application Layer Protocol: Web Protocols	T1071.001
	Non-Application Layer Protocol	T1095
	Dynamic Resolution	T1568
Exfiltration	Exfiltration Over C2 Channel	T1041