Skip to content


BOOSTWRITE is a loader crafted to be launched via abuse of the DLL search order of applications used by FIN7.1

Item Value
ID S0415
Associated Names
Version 1.0
Created 11 October 2019
Last Modified 15 October 2019
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1140 Deobfuscate/Decode Files or Information BOOSTWRITE has used a a 32-byte long multi-XOR key to decode data inside its payload.1
enterprise T1574 Hijack Execution Flow -
enterprise T1574.001 DLL Search Order Hijacking BOOSTWRITE has exploited the loading of the legitimate Dwrite.dll file by actually loading the gdi library, which then loads the gdiplus library and ultimately loads the local Dwrite dll.1
enterprise T1027 Obfuscated Files or Information BOOSTWRITE has encoded its payloads using a ChaCha stream cipher with a 256-bit key and 64-bit Initialization vector (IV) to evade detection.1
enterprise T1129 Shared Modules BOOSTWRITE has used the DWriteCreateFactory() function to load additional modules.1
enterprise T1553 Subvert Trust Controls -
enterprise T1553.002 Code Signing BOOSTWRITE has been signed by a valid CA.1

Groups That Use This Software

ID Name References
G0046 FIN7 1