Skip to content

T1027.016 Junk Code Insertion

Adversaries may use junk code / dead code to obfuscate a malware’s functionality. Junk code is code that either does not execute, or if it does execute, does not change the functionality of the code. Junk code makes analysis more difficult and time-consuming, as the analyst steps through non-functional code instead of analyzing the main code. It also may hinder detections that rely on static code analysis due to the use of benign functionality, especially when combined with Compression or Software Packing.12

No-Operation (NOP) instructions are an example of dead code commonly used in x86 assembly language. They are commonly used as the 0x90 opcode. When NOPs are added to malware, the disassembler may show the NOP instructions, leading to the analyst needing to step through them.1

The use of junk / dead code insertion is distinct from Binary Padding because the purpose is to obfuscate the functionality of the code, rather than simply to change the malware’s signature.

Item Value
ID T1027.016
Sub-techniques T1027.001, T1027.002, T1027.003, T1027.004, T1027.005, T1027.006, T1027.007, T1027.008, T1027.009, T1027.010, T1027.011, T1027.012, T1027.013, T1027.014, T1027.015, T1027.016, T1027.017
Tactics TA0005
Platforms Linux, Windows, macOS
Version 1.0
Created 04 March 2025
Last Modified 15 April 2025

Procedure Examples

ID Name Description
G0050 APT32 APT32 includes garbage code to mislead anti-malware software and researchers.2221
S0137 CORESHELL CORESHELL contains unused machine instructions in a likely attempt to hinder analysis.12
S0512 FatDuke FatDuke has been packed with junk code and strings.17
G0046 FIN7 FIN7 has used random junk code to obfuscate malware code.18
S0182 FinFisher FinFisher contains junk code in its functions in an effort to confuse disassembly programs.1413
G0047 Gamaredon Group Gamaredon Group has obfuscated .NET executables by inserting junk code.19
S0666 Gelsemium Gelsemium can use junk code to hide functions and evade detection.15
S0477 Goopy Goopy’s decrypter have been inflated with junk code in between legitimate API functions, and also included infinite loops to avoid analysis.10
G0094 Kimsuky Kimsuky has obfuscated code by filling scripts with junk code and concatenating strings to hamper analysis and detection.20
S0449 Maze Maze has inserted large blocks of junk code, including some components to decrypt strings and other important information for later in the encryption process.3
G0129 Mustang Panda Mustang Panda has used junk code within their DLL files to hinder analysis.2324
S0453 Pony Pony obfuscates memory flow by adding junk instructions when executing to make analysis more difficult.8
S0223 POWERSTATS POWERSTATS has used useless code blocks to counter analysis.16
S0370 SamSam SamSam has used garbage code to pad some of its malware components.9
S1183 StrelaStealer StrelaStealer variants have included excessive mathematical functions padding the binary and slowing execution for anti-analysis and sandbox evasion purposes.5
S0612 WastedLocker WastedLocker contains junk code to increase its entropy and hide the actual code.11
S0117 XTunnel A version of XTunnel introduced in July 2015 inserted junk code into the binary in a likely attempt to obfuscate it and bypass security products.4
S0248 yty yty contains junk code in its binary, likely to confuse malware analysts.6
S0230 ZeroT ZeroT has obfuscated DLLs and functions using dummy API calls inserted between real instructions.7

Mitigations

ID Mitigation Description
M1049 Antivirus/Antimalware Anti-virus can be used to automatically detect and quarantine suspicious files. Behavior-based detections, rather than reliance on static code analysis, may help to identify malicious files that rely heavily on junk code.1

References

  1. ReasonLabs. (n.d.). What is Dead code insertion?. Retrieved March 4, 2025. 

  2. What is Junk Code?. (n.d.). ReasonLabs. Retrieved April 4, 2025. 

  3. Mundo, A. (2020, March 26). Ransomware Maze. Retrieved May 18, 2020. 

  4. ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016. 

  5. Fortgale. (2023, September 18). StrelaStealer Malware Analysis. Retrieved December 31, 2024. 

  6. Schwarz, D., Sopko J. (2018, March 08). Donot Team Leverages New Modular Malware Framework in South Asia. Retrieved June 11, 2018. 

  7. Huss, D., et al. (2017, February 2). Oops, they did it again: APT Targets Russia and Belarus with ZeroT and PlugX. Retrieved April 5, 2018. 

  8. hasherezade. (2016, April 11). No money, but Pony! From a mail to a trojan horse. Retrieved May 21, 2020. 

  9. Palotay, D. and Mackenzie, P. (2018, April). SamSam Ransomware Chooses Its Targets Carefully. Retrieved April 15, 2019. 

  10. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018. 

  11. Antenucci, S., Pantazopoulos, N., Sandee, M. (2020, June 23). WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group. Retrieved September 14, 2021. 

  12. FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015. 

  13. Allievi, A.,Flori, E. (2018, March 01). FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines. Retrieved July 9, 2018. 

  14. FinFisher. (n.d.). Retrieved September 12, 2024. 

  15. Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021. 

  16. Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020. 

  17. Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020. 

  18. Abdo, B., et al. (2022, April 4). FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7. Retrieved April 5, 2022. 

  19. Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020. 

  20. Den Iuzvyk, Tim Peck. (2025, February 13). Analyzing DEEP#DRIVE: North Korean Threat Actors Observed Exploiting Trusted Platforms for Targeted Attacks. Retrieved August 19, 2025. 

  21. Dumont, R. (2019, March 20). Fake or Fake: Keeping up with OceanLotus decoys. Retrieved April 1, 2019. 

  22. Foltýn, T. (2018, March 13). OceanLotus ships new backdoor using old tricks. Retrieved May 22, 2018. 

  23. Alexandre Cote Cyr. (2022, March 23). Mustang Panda’s Hodur: Old tricks, new Korplug variant. Retrieved September 9, 2025. 

  24. Hamzeloofard, S. (2020, January 31). New wave of PlugX targets Hong Kong | Avira Blog. Retrieved April 13, 2021.