MITRE ATT&CK Technique
Description
Adversaries may gain access and continuously communicate with victims by injecting malicious content into systems through online network traffic. Rather than luring victims to malicious payloads hosted on a compromised website (i.e., [Drive-by Target](https://attack.mitre.org/techniques/T1608/004) followed by [Drive-by Compromise](https://attack.mitre.org/techniques/T1189)), adversaries may initially access victims through compromised data-transfer channels where they can manipulate traffic and/or inject their own content. These compromised online network channels may also be used to deliver additional payloads (i.e., [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)) and other data to already compromised systems.(Citation: ESET MoustachedBouncer) Adversaries may inject content to victim systems in various ways, including: * From the middle, where the adversary is in-between legitimate online client-server communications (**Note:** this is similar but distinct from [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557), which describes AiTM activity solely within an enterprise environment) (Citation: Kaspersky Encyclopedia MiTM) * From the side, where malicious content is injected and races to the client as a fake response to requests of a legitimate online server (Citation: Kaspersky ManOnTheSide) Content injection is often the result of compromised upstream communication channels, for example at the level of an internet service provider (ISP) as is the case with "lawful interception."(Citation: Kaspersky ManOnTheSide)(Citation: ESET MoustachedBouncer)(Citation: EFF China GitHub Attack)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2023-09-01T21:03:13.406Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may gain access and continuously communicate with '
'victims by injecting malicious content into systems through '
'online network traffic. Rather than luring victims to '
'malicious payloads hosted on a compromised website (i.e., '
'[Drive-by '
'Target](https://attack.mitre.org/techniques/T1608/004) '
'followed by [Drive-by '
'Compromise](https://attack.mitre.org/techniques/T1189)), '
'adversaries may initially access victims through compromised '
'data-transfer channels where they can manipulate traffic '
'and/or inject their own content. These compromised online '
'network channels may also be used to deliver additional '
'payloads (i.e., [Ingress Tool '
'Transfer](https://attack.mitre.org/techniques/T1105)) and '
'other data to already compromised systems.(Citation: ESET '
'MoustachedBouncer)\n'
'\n'
'Adversaries may inject content to victim systems in various '
'ways, including:\n'
'\n'
'* From the middle, where the adversary is in-between '
'legitimate online client-server communications (**Note:** '
'this is similar but distinct from '
'[Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557), '
'which describes AiTM activity solely within an enterprise '
'environment) (Citation: Kaspersky Encyclopedia MiTM)\n'
'* From the side, where malicious content is injected and '
'races to the client as a fake response to requests of a '
'legitimate online server (Citation: Kaspersky ManOnTheSide)\n'
'\n'
'Content injection is often the result of compromised upstream '
'communication channels, for example at the level of an '
'internet service provider (ISP) as is the case with "lawful '
'interception."(Citation: Kaspersky ManOnTheSide)(Citation: '
'ESET MoustachedBouncer)(Citation: EFF China GitHub Attack)',
'external_references': [{'external_id': 'T1659',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1659'},
{'description': 'Budington, B. (2015, April 2). China '
'Uses Unencrypted Websites to Hijack '
'Browsers in GitHub Attack. Retrieved '
'September 1, 2023.',
'source_name': 'EFF China GitHub Attack',
'url': 'https://www.eff.org/deeplinks/2015/04/china-uses-unencrypted-websites-to-hijack-browsers-in-github-attack'},
{'description': 'Faou, M. (2023, August 10). '
'MoustachedBouncer: Espionage against '
'foreign diplomats in Belarus. '
'Retrieved September 1, 2023.',
'source_name': 'ESET MoustachedBouncer',
'url': 'https://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/'},
{'description': 'Kaspersky IT Encyclopedia. (n.d.). '
'Man-in-the-middle attack. Retrieved '
'September 1, 2023.',
'source_name': 'Kaspersky Encyclopedia MiTM',
'url': 'https://encyclopedia.kaspersky.com/glossary/man-in-the-middle-attack/'},
{'description': 'Starikova, A. (2023, February 14). '
'Man-on-the-side – peculiar attack. '
'Retrieved September 1, 2023.',
'source_name': 'Kaspersky ManOnTheSide',
'url': 'https://usa.kaspersky.com/blog/man-on-the-side/27854/'}],
'id': 'attack-pattern--43c9bc06-715b-42db-972f-52d25c09a20c',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'initial-access'},
{'kill_chain_name': 'mitre-attack',
'phase_name': 'command-and-control'}],
'modified': '2025-04-15T22:10:29.343Z',
'name': 'Content Injection',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': False,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Linux', 'macOS', 'Windows'],
'x_mitre_version': '1.0'}