T1027.001 Binary Padding
Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This can be done without affecting the functionality or behavior of a binary, but can increase the size of the binary beyond what some security tools are capable of handling due to file size limitations.
Binary padding effectively changes the checksum of the file and can also be used to avoid hash-based blocklists and static anti-virus signatures.1 The padding used is commonly generated by a function to create junk data and then appended to the end or applied to sections of malware.2 Increasing the file size may decrease the effectiveness of certain tools and detection capabilities that are not designed or configured to scan large files. This may also reduce the likelihood of being collected for analysis. Public file scanning services, such as VirusTotal, limits the maximum size of an uploaded file to be analyzed.3
| Item | Value |
|---|---|
| ID | T1027.001 |
| Sub-techniques | T1027.001, T1027.002, T1027.003, T1027.004, T1027.005, T1027.006, T1027.007, T1027.008, T1027.009, T1027.010, T1027.011, T1027.012, T1027.013, T1027.014, T1027.015, T1027.016, T1027.017 |
| Tactics | TA0005 |
| Platforms | Linux, Windows, macOS |
| Version | 1.3 |
| Created | 05 February 2020 |
| Last Modified | 24 October 2025 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| G1024 | Akira | Akira has used binary padding to obfuscate payloads.34 |
| G0016 | APT29 | APT29 used large size files to avoid detection by security solutions with hardcoded size limits.27 |
| S0268 | Bisonal | Bisonal has appended random binary data to the end of itself to generate a large binary.14 |
| S1070 | Black Basta | Black Basta had added data prior to the Portable Executable (PE) header to prevent automatic scanners from identifying the payload.20 |
| G0060 | BRONZE BUTLER | BRONZE BUTLER downloader code has included “0” characters at the end of the file to inflate the file size in a likely attempt to evade anti-virus detection.3233 |
| S1149 | CHIMNEYSWEEP | The CHIMNEYSWEEP installer has been padded with null bytes to inflate its size.10 |
| S0244 | Comnie | Comnie appends a total of 64MB of garbage data to a file to deter any security products in place that may be scanning files on disk.22 |
| S0614 | CostaBricks | CostaBricks has added the entire unobfuscated code of the legitimate open source application Blink to its code.12 |
| S0082 | Emissary | A variant of Emissary appends junk data to the end of its DLL file to create a large file that may exceed the maximum size that anti-virus programs can scan.21 |
| S0367 | Emotet | Emotet inflates malicious files and malware as an evasion technique.5 |
| S0477 | Goopy | Goopy has had null characters padded in its malicious DLL payload.25 |
| S0531 | Grandoreiro | Grandoreiro has added BMP images to the resources section of its Portable Executable (PE) file increasing each binary to at least 300MB in size.11 |
| S0632 | GrimAgent | GrimAgent has the ability to add bytes to change the file hash.23 |
| G0126 | Higaisa | Higaisa performed padding with null bytes before calculating its hash.30 |
| S0528 | Javali | Javali can use large obfuscated libraries to hinder detection and analysis.6 |
| G0094 | Kimsuky | Kimsuky has performed padding of PowerShell command line code with over 100 spaces.28 |
| S0236 | Kwampirs | Before writing to disk, Kwampirs inserts a randomly generated string into the middle of the decrypted payload in an attempt to evade hash-based detections.15 |
| S1160 | Latrodectus | Latrodectus has been obfuscated with a 129 byte sequence of junk data prepended to the file.16 |
| G0065 | Leviathan | Leviathan has inserted garbage characters into code, presumably to avoid anti-virus detection.26 |
| S1185 | LightSpy | LightSpy’s configuration file is appended to the end of the binary. For example, the last 0x1d0 bytes of one sample is an AES encrypted configuration file with a static key of 3e2717e8b3873b29.13 |
| G0002 | Moafee | Moafee has been known to employ binary padding.29 |
| G0040 | Patchwork | Patchwork apparently altered NDiskMonitor samples by adding four bytes of random letters in a likely attempt to change the file hashes.31 |
| S0013 | PlugX | PlugX has utilized junk code and opaque predicates in payloads to hinder analysis.17 |
| S0650 | QakBot | QakBot can use large file sizes to evade detection.87 |
| S0433 | Rifdoor | Rifdoor has added four additional bytes of data upon launching, then saved the changed version as C:\ProgramData\Initech\Initech.exe.9 |
| S1086 | Snip3 | Snip3 can obfuscate strings using junk Chinese characters.24 |
| S0586 | TAINTEDSCRIBE | TAINTEDSCRIBE can execute FileRecvWriteRand to append random bytes to the end of a file received from C2.4 |
| S1239 | TONESHELL | TONESHELL has used randomized padding to obfuscate payloads.1819 |
References
-
Foltýn, T. (2018, March 13). OceanLotus ships new backdoor using old tricks. Retrieved May 22, 2018. ↩
-
Ishimaru, S.. (2017, April 13). Old Malware Tricks To Bypass Detection in the Age of Big Data. Retrieved May 30, 2019. ↩
-
VirusTotal. (n.d.). VirusTotal FAQ. Retrieved May 23, 2019. ↩
-
USG. (2020, May 12). MAR-10288834-2.v1 – North Korean Trojan: TAINTEDSCRIBE. Retrieved March 5, 2021. ↩
-
Kenefick, I. (2023, March 13). Emotet Returns, Now Adopts Binary Padding for Evasion. Retrieved June 19, 2024. ↩
-
GReAT. (2020, July 14). The Tetrade: Brazilian banking malware goes global. Retrieved November 9, 2020. ↩
-
Group IB. (2020, September). LOCK LIKE A PRO. Retrieved November 17, 2024. ↩
-
Mendoza, E. et al. (2020, May 25). Qakbot Resurges, Spreads through VBS Files. Retrieved September 27, 2021. ↩
-
Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020. ↩
-
Jenkins, L. at al. (2022, August 4). ROADSWEEP Ransomware - Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations. Retrieved August 6, 2024. ↩
-
ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020. ↩
-
The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021. ↩
-
Stuart Ashenbrenner, Alden Schmidt. (2024, April 25). LightSpy Malware Variant Targeting macOS. Retrieved January 3, 2025. ↩
-
Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022. ↩
-
Symantec Security Response Attack Investigation Team. (2018, April 23). New Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia. Retrieved May 8, 2018. ↩
-
Stepanic, D. and Bousseaden, S. (2024, May 15). Spring Cleaning with LATRODECTUS: A Potential Replacement for ICEDID. Retrieved September 13, 2024. ↩
-
Alexandre Cote Cyr. (2022, March 23). Mustang Panda’s Hodur: Old tricks, new Korplug variant. Retrieved September 9, 2025. ↩
-
Sudeep Singh. (2025, April 16). Latest Mustang Panda Arsenal: ToneShell and StarProxy | P1. Retrieved July 21, 2025. ↩
-
Tom Fakterman. (2024, September 6). Chinese APT Abuses VSCode to Target Government in Asia. Retrieved March 24, 2025. ↩
-
Check Point. (2022, October 20). BLACK BASTA AND THE UNNOTICED DELIVERY. Retrieved March 8, 2023. ↩
-
Falcone, R. and Miller-Osborn, J. (2016, February 3). Emissary Trojan Changelog: Did Operation Lotus Blossom Cause It to Evolve?. Retrieved February 15, 2016. ↩
-
Grunzweig, J. (2018, January 31). Comnie Continues to Target Organizations in East Asia. Retrieved June 7, 2018. ↩
-
Priego, A. (2021, July). THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK. Retrieved September 19, 2024. ↩
-
Lorber, N. (2021, May 7). Revealing the Snip3 Crypter, a Highly Evasive RAT Loader. Retrieved September 13, 2023. ↩
-
Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018. ↩
-
Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018. ↩
-
Guerrero-Saade, J. (2021, June 1). NobleBaron | New Poisoned Installers Could Be Used In Supply Chain Attacks. Retrieved August 4, 2021. ↩
-
Den Iuzvyk, Tim Peck. (2025, February 13). Analyzing DEEP#DRIVE: North Korean Threat Actors Observed Exploiting Trusted Platforms for Targeted Attacks. Retrieved August 19, 2025. ↩
-
Haq, T., Moran, N., Scott, M., & Vashisht, S. O. (2014, September 10). The Path to Mass-Producing Cyber Attacks [Blog]. Retrieved November 12, 2014. ↩
-
Singh, S. Singh, A. (2020, June 11). The Return on the Higaisa APT. Retrieved March 2, 2021. ↩
-
Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018. ↩
-
Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018. ↩
-
Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020. ↩
-
Nutland, J. and Szeliga, M. (2024, October 21). Akira ransomware continues to evolve. Retrieved December 10, 2024. ↩