Skip to content

T1027.002 Software Packing

Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable’s original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.2

Utilities used to perform software packing are called packers. Example packers are MPRESS and UPX. A more comprehensive list of known packers is available, but adversaries may create their own packing techniques that do not leave the same artifacts as well-known packers to evade defenses.1

Item Value
ID T1027.002
Sub-techniques T1027.001, T1027.002, T1027.003, T1027.004, T1027.005, T1027.006, T1027.007, T1027.008, T1027.009, T1027.010, T1027.011
Tactics TA0005
Platforms Linux, Windows, macOS
Version 1.2
Created 05 February 2020
Last Modified 30 March 2023

Procedure Examples

ID Name Description
C0025 2016 Ukraine Electric Power Attack During the 2016 Ukraine Electric Power Attack, Sandworm Team used UPX to pack a copy of Mimikatz.93
S0504 Anchor Anchor has come with a packed payload.66
G1007 Aoqin Dragon Aoqin Dragon has used the Themida packer to obfuscate malicious payloads.51
S0622 AppleSeed AppleSeed has used UPX packers for its payload DLL.23
G0016 APT29 APT29 used UPX to pack files.83
G0022 APT3 APT3 has been known to pack their tools.8889
G0082 APT38 APT38 has used several code packing methods such as Themida, Enigma, VMProtect, and Obsidium, to pack their implants.78
G0087 APT39 APT39 has packed tools with UPX, and has repacked a modified version of Mimikatz to thwart anti-virus detection.8687
S0373 Astaroth Astaroth uses a software packer called Pe123\RPolyCryptor.37
S0638 Babuk Versions of Babuk have been packed.161718
S0534 Bazar Bazar has a variant with a packed payload.4344
S0268 Bisonal Bisonal has used the MPRESS packer and similar tools for obfuscation.57
S0520 BLINDINGCAN BLINDINGCAN has been packed with the UPX packer.65
C0017 C0017 During C0017, APT41 used VMProtect to slow the reverse engineering of malicious binaries.92
S0020 China Chopper China Chopper‘s client component is packed with UPX.68
S0611 Clop Clop has been packed to help avoid detection.7172
S0614 CostaBricks CostaBricks can implement a custom-built virtual machine mechanism to obfuscate its code.73
S0527 CSPY Downloader CSPY Downloader has been packed with UPX.3
S0625 Cuba Cuba has a packed payload when delivered.46
G0070 Dark Caracal Dark Caracal has used UPX to pack Bandook.77
S0334 DarkComet DarkComet has the option to compress its payload using UPX or MPRESS.62
S0187 Daserf A version of Daserf uses the MPRESS packer.42
S0281 Dok Dok is packed with an UPX executable packer.26
S0695 Donut Donut can generate packed code modules.4
S0694 DRATzarus DRATzarus‘s dropper can be packed with UPX.14
S0024 Dyre Dyre has been delivered with encrypted resources and must be unpacked for execution.40
S0554 Egregor Egregor‘s payloads are custom-packed, archived and encrypted to prevent analysis.3839
G0066 Elderwood Elderwood has packed malware payloads before delivery to victims.74
G1003 Ember Bear Ember Bear has packed malware to help avoid detection.75
S0367 Emotet Emotet has used custom packers to protect its payloads.28
S0512 FatDuke FatDuke has been regularly repacked by its operators to create large binaries and evade detection.48
S0182 FinFisher A FinFisher variant uses a custom packer.2425
S0628 FYAnti FYAnti has used ConfuserEx to pack its .NET module.61
G0093 GALLIUM GALLIUM packed some payloads using different types of packers, both known and custom.76
S0588 GoldMax GoldMax has been packed for obfuscation.41
S0342 GreyEnergy GreyEnergy is packed for obfuscation.31
S0132 H1N1 H1N1 uses a custom packing algorithm.29
S0601 Hildegard Hildegard has packed ELF files into other binaries.60
S0431 HotCroissant HotCroissant has used the open source UPX executable packer.5
S0398 HyperBro HyperBro has the ability to pack its payload.7
S0483 IcedID IcedID has packed and encrypted its loader module.47
S0283 jRAT jRAT payloads have been packed.13
G0094 Kimsuky Kimsuky has packed malware with UPX.23
S0356 KONNI KONNI has been packed for obfuscation.22
S0513 LiteDuke LiteDuke has been packed with multiple layers of encryption.48
S0447 Lokibot Lokibot has used several packing methods for obfuscation.45
S0532 Lucifer Lucifer has used UPX packed binaries.52
S0409 Machete Machete has been packed with NSIS.30
S0530 Melcoz Melcoz has been packed with VMProtect and Themida.59
S0455 Metamorfo Metamorfo has used VMProtect to pack and protect files.70
S0083 Misdat Misdat was typically packed using UPX.21
S1026 Mongall Mongall has been packed with Themida.51
S0198 NETWIRE NETWIRE has used .NET packer tools to evade detection.9
C0002 Night Dragon During Night Dragon, threat actors used software packing in its tools.94
S0264 OopsIE OopsIE uses the SmartAssembly obfuscator to pack an embedded .Net Framework assembly used for C2.8
C0022 Operation Dream Job During Operation Dream Job, Lazarus Group packed malicious .db files with Themida to evade detection.149632
C0016 Operation Dust Storm For Operation Dust Storm, the threat actors used UPX to pack some payloads.21
C0005 Operation Spalax For Operation Spalax, the threat actors used a variety of packers, including CyaX, to obfuscate malicious executables.95
S0352 OSX_OCEANLOTUS.D OSX_OCEANLOTUS.D has a variant that is packed with UPX.36
G0040 Patchwork A Patchwork payload was packed with UPX.90
S0650 QakBot QakBot can encrypt and pack malicious payloads.56
S0565 Raindrop Raindrop used a custom packer for its Cobalt Strike payload, which was compressed using the LZMA algorithm.6364
G0106 Rocke Rocke‘s miner has created UPX-packed files in the Windows Start Menu Folder.798081
S0085 S-Type Some S-Type samples have been packed with UPX.21
S1018 Saint Bot Saint Bot has been packed using a dark market crypter.19
S0461 SDBbot SDBbot has used a packed installer file.20
S0053 SeaDuke SeaDuke has been packed with the UPX packer.27
S0444 ShimRat ShimRat‘s loader has been packed with the compressed ShimRat core DLL and the legitimate DLL for it to hijack.58
S0543 Spark Spark has been packed with Enigma Protector to obfuscate its contents.15
S1030 Squirrelwaffle Squirrelwaffle has been packed with a custom packer to hide payloads.1112
S0663 SysUpdate SysUpdate has been packed with VMProtect.76
G0092 TA505 TA505 has used UPX to obscure malicious code.20
G0139 TeamTNT TeamTNT has used UPX and Ezuri packer to pack its binaries.85
G0089 The White Company The White Company has obfuscated their payloads through packing.82
G0027 Threat Group-3390 Threat Group-3390 has packed malware and tools, including using VMProtect.847
S0671 Tomiris Tomiris has been packed with UPX.10
S0678 Torisma Torisma has been packed with Iz4 compression.32
S0266 TrickBot TrickBot leverages a custom packer to obfuscate its functionality.69
S0094 Trojan.Karagany Trojan.Karagany samples sometimes use common binary packers such as UPX and Aspack on top of a custom Delphi binary packer.5354
S0022 Uroburos Uroburos uses a custom packer.55
S0476 Valak Valak has used packed DLL payloads.50
S0257 VERMIN VERMIN is initially packed.33
S0248 yty yty packs a plugin with UPX.67
S0251 Zebrocy Zebrocy‘s Delphi variant was packed with UPX.3435
S0230 ZeroT Some ZeroT DLL files have been packed with UPX.49
G0128 ZIRCONIUM ZIRCONIUM has used multi-stage packers for exploit code.91


ID Mitigation Description
M1049 Antivirus/Antimalware Employ heuristic-based malware detection. Ensure updated virus definitions and create custom signatures for observed malware.


ID Data Source Data Component
DS0022 File File Metadata


  1. Alexandre D’Hondt. (n.d.). Awesome Executable Packing. Retrieved March 11, 2022. 

  2. Kafka, F. (2018, January). ESET’s Guide to Deobfuscating and Devirtualizing FinFisher. Retrieved August 12, 2019. 

  3. Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020. 

  4. TheWover. (2019, May 9). donut. Retrieved March 25, 2022. 

  5. Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020. 

  6. Daniel Lunghi. (2023, March 1). Iron Tiger’s SysUpdate Reappears, Adds Linux Targeting. Retrieved March 20, 2023. 

  7. Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021. 

  8. Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018. 

  9. Lambert, T. (2020, January 29). Intro to Netwire. Retrieved January 7, 2021. 

  10. Kwiatkoswki, I. and Delcher, P. (2021, September 29). DarkHalo After SolarWinds: the Tomiris connection. Retrieved December 27, 2021. 

  11. Kumar, A., Stone-Gross, Brett. (2021, September 28). Squirrelwaffle: New Loader Delivering Cobalt Strike. Retrieved August 9, 2022. 

  12. Palazolo, G. (2021, October 7). SquirrelWaffle: New Malware Loader Delivering Cobalt Strike and QakBot. Retrieved August 9, 2022. 

  13. Kamluk, V. & Gostev, A. (2016, February). Adwind - A Cross-Platform RAT. Retrieved April 23, 2019. 

  14. ClearSky Research Team. (2020, August 13). Operation ‘Dream Job’ Widespread North Korean Espionage Campaign. Retrieved December 20, 2021. 

  15. Falcone, R., et al. (2020, March 3). Molerats Delivers Spark Backdoor to Government and Telecommunications Organizations. Retrieved December 14, 2020. 

  16. Sogeti. (2021, March). Babuk Ransomware. Retrieved August 11, 2021. 

  17. Mundo, A. et al. (2021, February). Technical Analysis of Babuk Ransomware. Retrieved August 11, 2021. 

  18. Sebdraven. (2021, February 8). Babuk is distributed packed. Retrieved August 11, 2021. 

  19. Hasherezade. (2021, April 6). A deep dive into Saint Bot, a new downloader. Retrieved June 9, 2022. 

  20. Frydrych, M. (2020, April 14). TA505 Continues to Infect Networks With SDBbot RAT. Retrieved May 29, 2020. 

  21. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021. 

  22. Santos, R. (2022, January 26). KONNI evolves into stealthier RAT. Retrieved April 13, 2022. 

  23. Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021. 

  24. FinFisher. (n.d.). Retrieved December 20, 2017. 

  25. Kaspersky Lab’s Global Research & Analysis Team. (2017, October 16). BlackOasis APT and new targeted attacks leveraging zero-day exploit. Retrieved February 15, 2018. 

  26. fluffybunny. (2019, July 9). OSX.Dok Analysis. Retrieved October 4, 2021. 

  27. Grunzweig, J.. (2015, July 14). Unit 42 Technical Analysis: Seaduke. Retrieved August 3, 2016. 

  28. Trend Micro. (2019, January 16). Exploring Emotet’s Activities . Retrieved March 25, 2019. 

  29. Reynolds, J.. (2016, September 13). H1N1: Technical analysis reveals new capabilities. Retrieved September 26, 2016. 

  30. ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019. 

  31. Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018. 

  32. Beek, C. (2020, November 5). Operation North Star: Behind The Scenes. Retrieved December 20, 2021. 

  33. Lancaster, T., Cortes, J. (2018, January 29). VERMIN: Quasar RAT and Custom Malware Used In Ukraine. Retrieved July 5, 2018. 

  34. Lee, B., Falcone, R. (2018, December 12). Dear Joohn: The Sofacy Group’s Global Campaign. Retrieved April 19, 2019. 

  35. Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019. 

  36. Dumont, R.. (2019, April 9). OceanLotus: macOS malware update. Retrieved April 15, 2019. 


  38. NHS Digital. (2020, November 26). Egregor Ransomware The RaaS successor to Maze. Retrieved December 29, 2020. 

  39. Cybleinc. (2020, October 31). Egregor Ransomware – A Deep Dive Into Its Activities and Techniques. Retrieved December 29, 2020. 

  40. hasherezade. (2015, November 4). A Technical Look At Dyreza. Retrieved June 15, 2020. 

  41. Smith, L., Leathery, J., Read, B. (2021, March 4). New SUNSHUTTLE Second-Stage Backdoor Uncovered Targeting U.S.-Based Entity; Possible Connection to UNC2452. Retrieved March 12, 2021. 

  42. Chen, J. and Hsieh, M. (2017, November 7). REDBALDKNIGHT/BRONZE BUTLER’s Daserf Backdoor Now Using Steganography. Retrieved December 27, 2017. 

  43. Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9’S DEVELOPMENT CYCLES. Retrieved November 18, 2020. 

  44. Sadique, M. and Singh, A. (2020, September 29). Spear Phishing Campaign Delivers Buer and Bazar Malware. Retrieved November 19, 2020. 

  45. Hoang, M. (2019, January 31). Malicious Activity Report: Elements of Lokibot Infostealer. Retrieved May 15, 2020. 

  46. Roccio, T., et al. (2021, April). Technical Analysis of Cuba Ransomware. Retrieved June 18, 2021. 

  47. Kimayong, P. (2020, June 18). COVID-19 and FMLA Campaigns used to install new IcedID banking malware. Retrieved July 14, 2020. 

  48. Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020. 

  49. Huss, D., et al. (2017, February 2). Oops, they did it again: APT Targets Russia and Belarus with ZeroT and PlugX. Retrieved April 5, 2018. 

  50. Reaves, J. and Platt, J. (2020, June). Valak Malware and the Connection to Gozi Loader ConfCrew. Retrieved August 31, 2020. 

  51. Chen, Joey. (2022, June 9). Aoqin Dragon | Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years. Retrieved July 14, 2022. 

  52. Hsu, K. et al. (2020, June 24). Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices. Retrieved November 16, 2020. 

  53. Symantec Security Response. (2014, June 30). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016. 

  54. Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020. 

  55. Symantec. (2015, January 26). The Waterbug attack group. Retrieved April 10, 2015. 

  56. Cyberint. (2021, May 25). Qakbot Banking Trojan. Retrieved September 27, 2021. 

  57. Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022. 

  58. Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020. 

  59. GReAT. (2020, July 14). The Tetrade: Brazilian banking malware goes global. Retrieved November 9, 2020. 

  60. Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021. 

  61. GREAT. (2021, March 30). APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign. Retrieved June 17, 2021. 

  62. Kujawa, A. (2018, March 27). You dirty RAT! Part 1: DarkComet. Retrieved November 6, 2018. 

  63. Symantec Threat Hunter Team. (2021, January 18). Raindrop: New Malware Discovered in SolarWinds Investigation. Retrieved January 19, 2021. 

  64. MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021. 

  65. US-CERT. (2020, August 19). MAR-10295134-1.v1 – North Korean Remote Access Trojan: BLINDINGCAN. Retrieved August 19, 2020. 

  66. Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020. 

  67. Schwarz, D., Sopko J. (2018, March 08). Donot Team Leverages New Modular Malware Framework in South Asia. Retrieved June 11, 2018. 

  68. Lee, T., Hanzlik, D., Ahl, I. (2013, August 7). Breaking Down the China Chopper Web Shell - Part I. Retrieved March 27, 2015. 

  69. Salinas, M., Holguin, J. (2017, June). Evolution of Trickbot. Retrieved July 31, 2018. 

  70. Zhang, X. (2020, February 4). Another Metamorfo Variant Targeting Customers of Financial Institutions in More Countries. Retrieved July 30, 2020. 

  71. Mundo, A. (2019, August 1). Clop Ransomware. Retrieved May 10, 2021. 

  72. Cybereason Nocturnus. (2020, December 23). Cybereason vs. Clop Ransomware. Retrieved May 11, 2021. 

  73. The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021. 

  74. O’Gorman, G., and McDonald, G.. (2012, September 6). The Elderwood Project. Retrieved February 15, 2018. 

  75. Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022. 

  76. Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019. 

  77. Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018. 

  78. FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 6, 2018. 

  79. Liebenberg, D.. (2018, August 30). Rocke: The Champion of Monero Miners. Retrieved May 26, 2020. 

  80. Xingyu, J.. (2019, January 17). Malware Used by Rocke Group Evolves to Evade Detection by Cloud Security Products. Retrieved May 26, 2020. 

  81. Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019. 

  82. Livelli, K, et al. (2018, November 12). Operation Shaheen. Retrieved May 1, 2019. 

  83. Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved October 4, 2016. 

  84. Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021. 

  85. Fiser, D. Oliveira, A. (n.d.). Tracking the Activities of TeamTNT A Closer Look at a Cloud-Focused Malicious Actor Group. Retrieved September 22, 2021. 

  86. Hawley et al. (2019, January 29). APT39: An Iranian Cyber Espionage Group Focused on Personal Information. Retrieved February 19, 2019. 

  87. Rusu, B. (2020, May 21). Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia. Retrieved May 22, 2020. 

  88. Korban, C, et al. (2017, September). APT3 Adversary Emulation Plan. Retrieved January 16, 2018. 

  89. Eng, E., Caselden, D.. (2015, June 23). Operation Clandestine Wolf – Adobe Flash Zero-Day in APT3 Phishing Campaign. Retrieved January 14, 2016. 

  90. Kaspersky Lab’s Global Research & Analysis Team. (2016, July 8). The Dropping Elephant – aggressive cyber-espionage in the Asian region. Retrieved August 3, 2016. 

  91. Itkin, E. and Cohen, I. (2021, February 22). The Story of Jian – How APT31 Stole and Used an Unknown Equation Group 0-Day. Retrieved March 24, 2021. 

  92. Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022. 

  93. Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020. 

  94. McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018. 

  95. M. Porolli. (2021, January 21). Operation Spalax: Targeted malware attacks in Colombia. Retrieved September 16, 2022. 

  96. Cashman, M. (2020, July 29). Operation North Star Campaign. Retrieved December 20, 2021.