Skip to content

T1614 System Location Discovery

Adversaries may gather information in an attempt to calculate the geographical location of a victim host. Adversaries may use the information from System Location Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Adversaries may attempt to infer the location of a system using various system checks, such as time zone, keyboard layout, and/or language settings.461 Windows API functions such as GetLocaleInfoW can also be used to determine the locale of the host.4 In cloud environments, an instance’s availability zone may also be discovered by accessing the instance metadata service from the instance.25

Adversaries may also attempt to infer the location of a victim host using IP addressing, such as via online geolocation IP-lookup services.36

Item Value
ID T1614
Sub-techniques T1614.001
Tactics TA0007
Platforms IaaS, Linux, Windows, macOS
Version 1.1
Created 01 April 2021
Last Modified 24 October 2025

Procedure Examples

ID Name Description
S1025 Amadey Amadey does not run any tasks or install additional malware if the victim machine is based in Russia.29
S0115 Crimson Crimson can identify the geographical location of a victim host.22
S1153 Cuckoo Stealer Cuckoo Stealer can determine the geographical location of a victim host by checking the language.11
S1111 DarkGate DarkGate queries system locale information during execution.12 Later versions of DarkGate query GetSystemDefaultLCID for locale information to determine if the malware is executing in Russian-speaking countries.13
S0673 DarkWatchman DarkWatchman can identity the OS locale of a compromised host.8
S1138 Gootloader Gootloader can use IP geolocation to determine if the person browsing to a compromised site is within a targeted territory such as the US, Canada, Germany, and South Korea.9
S0632 GrimAgent GrimAgent can identify the country code on a compromised host.25
S1249 HexEval Loader HexEval Loader has a function where the C2 endpoint can identify the geographical location of a victim host based on request headers, execution environment and runtime conditions.26
S1245 InvisibleFerret InvisibleFerret has collected the internal IP address, IP geolocation information of the infected host and sends the data to a C2 server.28 InvisibleFerret has also leveraged the “pay” module to obtain region name, country, city, zip code, ISP, latitude and longitude using “http://ip-api.com/json”.27
S0013 PlugX PlugX has obtained the location of the victim device by leveraging GetSystemDefaultLCID.10
S0262 QuasarRAT QuasarRAT can determine the country a victim host is located in.7
S1148 Raccoon Stealer Raccoon Stealer collects the Locale Name of the infected device via GetUserDefaultLocaleName to determine whether the string ru is included, but in analyzed samples no action is taken if present.21
S0481 Ragnar Locker Before executing malicious code, Ragnar Locker checks the Windows API GetLocaleInfoW and doesn’t encrypt files if it finds a former Soviet country.4
S1240 RedLine Stealer RedLine Stealer has gathered detailed information about victims’ systems, such as IP addresses, and geolocation.171820 RedLine Stealer has also checked the IP from where it was being executed and leveraged an opensource geolocation IP-lookup service. 19
S1018 Saint Bot Saint Bot has conducted system locale checks to see if the compromised host is in Russia, Ukraine, Belarus, Armenia, Kazakhstan, or Moldova.2324
S0461 SDBbot SDBbot can collected the country code of a compromised machine.16
G1008 SideCopy SideCopy has identified the country location of a compromised host.30
S1124 SocGholish SocGholish can use IP-based geolocation to limit infections to victims in North America, Europe, and a small number of Asian-Pacific nations.14
G1017 Volt Typhoon Volt Typhoon has obtained the victim’s system current location.31
S1248 XORIndex Loader XORIndex Loader can identify the geographical location of a victim host.15

References

  1. Abrams, L. (2020, October 23). New RAT malware gets commands via Discord, has ransomware feature. Retrieved April 1, 2021. 

  2. Amazon. (n.d.). Instance identity documents. Retrieved April 2, 2021. 

  3. Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved April 1, 2021. 

  4. FBI. (2020, November 19). Indicators of Compromise Associated with Ragnar Locker Ransomware. Retrieved September 12, 2024. 

  5. Microsoft. (2021, February 21). Azure Instance Metadata Service (Windows). Retrieved April 2, 2021. 

  6. Wisniewski, C. (2016, May 3). Location-based threats: How cybercriminals target you based on where you live. Retrieved April 1, 2021. 

  7. CISA. (2018, December 18). Analysis Report (AR18-352A) Quasar Open-Source Remote Administration Tool. Retrieved August 1, 2022. 

  8. Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022. 

  9. Pirozzi, A. (2021, June 16). Gootloader: ‘Initial Access as a Service’ Platform Expands Its Search for High Value Targets. Retrieved May 28, 2024. 

  10. Alexandre Cote Cyr. (2022, March 23). Mustang Panda’s Hodur: Old tricks, new Korplug variant. Retrieved September 9, 2025. 

  11. Kohler, A. and Lopez, C. (2024, April 30). Malware: Cuckoo Behaves Like Cross Between Infostealer and Spyware. Retrieved August 20, 2024. 

  12. Adi Zeligson & Rotem Kerner. (2018, November 13). Enter The DarkGate - New Cryptocurrency Mining and Ransomware Campaign. Retrieved February 9, 2024. 

  13. Ernesto Fernández Provecho, Pham Duy Phuc, Ciana Driscoll & Vinoo Thomas. (2023, November 21). The Continued Evolution of the DarkGate Malware-as-a-Service. Retrieved February 9, 2024. 

  14. Secureworks. (n.d.). GOLD PRELUDE . Retrieved March 22, 2024. 

  15. Kirill Boychenko. (2025, July 14). Contagious Interview Campaign Escalates With 67 Malicious npm Packages and New Malware Loader. Retrieved October 19, 2025. 

  16. Financial Security Institute. (2020, February 28). Profiling of TA505 Threat Group That Continues to Attack the Financial Sector. Retrieved July 14, 2022. 

  17. Alexandre Cote Cyr. (2024, November 8). Life on a crooked RedLine: Analyzing the infamous infostealer’s backend. Retrieved September 17, 2025. 

  18. George Glass. (2024, August 14). REDLINESTEALER Malware Driving the Initial Access Broker Market. Retrieved September 17, 2025. 

  19. Mohansundaram M, Neil Tyagi. (2024, April 17). Redline Stealer: A Novel Approach. Retrieved September 17, 2025. 

  20. Proofpoint Threat Insight Team, Jeremy H, Axel F. (2020, March 16). New Redline Password Stealer Malware. Retrieved September 17, 2025. 

  21. S2W TALON. (2022, June 16). Raccoon Stealer is Back with a New Version. Retrieved August 1, 2024. 

  22. Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved September 2, 2021. 

  23. Hasherezade. (2021, April 6). A deep dive into Saint Bot, a new downloader. Retrieved June 9, 2022. 

  24. Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022. 

  25. Priego, A. (2021, July). THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK. Retrieved September 19, 2024. 

  26. Kirill Boychenko. (2025, June 25). Another Wave: North Korean Contagious Interview Campaign Drops 35 New Malicious npm Packages. Retrieved October 19, 2025. 

  27. Matej Havranek. (2025, February 20). DeceptiveDevelopment targets freelance developers. Retrieved October 17, 2025. 

  28. Unit 42. (2023, November 21). Hacking Employers and Seeking Employment: Two Job-Related Campaigns Bear Hallmarks of North Korean Threat Actors. Retrieved October 17, 2025. 

  29. Kasuya, M. (2020, January 8). Threat Spotlight: Amadey Bot Targets Non-Russian Users. Retrieved July 14, 2022. 

  30. Threat Intelligence Team. (2021, December 2). SideCopy APT: Connecting lures victims, payloads to infrastructure. Retrieved June 13, 2022. 

  31. CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024.