Skip to content

T1622 Debugger Evasion

Adversaries may employ various means to detect and avoid debuggers. Debuggers are typically used by defenders to trace and/or analyze the execution of potential malware payloads.7

Debugger evasion may include changing behaviors based on the results of the checks for the presence of artifacts indicative of a debugged environment. Similar to Virtualization/Sandbox Evasion, if the adversary detects a debugger, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for debugger artifacts before dropping secondary or additional payloads.

Specific checks will vary based on the target and/or adversary. On Windows, this may involve Native API function calls such as IsDebuggerPresent() and NtQueryInformationProcess(), or manually checking the BeingDebugged flag of the Process Environment Block (PEB). On Linux, this may involve querying /proc/self/status for the TracerPID field, which indicates whether or not the process is being traced by dynamic analysis tools.48 Other checks for debugging artifacts may also seek to enumerate hardware breakpoints, interrupt assembly opcodes, time checks, or measurements if exceptions are raised in the current process (assuming a present debugger would “swallow” or handle the potential error).359

Malware may also leverage Structured Exception Handling (SEH) to detect debuggers by throwing an exception and detecting whether the process is suspended. SEH handles both hardware and software expectations, providing control over the exceptions including support for debugging. If a debugger is present, the program’s control will be transferred to the debugger, and the execution of the code will be suspended. If the debugger is not present, control will be transferred to the SEH handler, which will automatically handle the exception and allow the program’s execution to continue.1

Adversaries may use the information learned from these debugger checks during automated discovery to shape follow-on behaviors. Debuggers can also be evaded by detaching the process or flooding debug logs with meaningless data via messages produced by looping Native API function calls such as OutputDebugStringW().62

Item Value
ID T1622
Sub-techniques
Tactics TA0005, TA0007
Platforms Linux, Windows, macOS
Version 1.1
Created 01 April 2022
Last Modified 24 October 2025

Procedure Examples

ID Name Description
S1087 AsyncRAT AsyncRAT can use the CheckRemoteDebuggerPresent function to detect the presence of a debugger.10
S1070 Black Basta The Black Basta dropper can check system flags, CPU registers, CPU instructions, process timing, system libraries, and APIs to determine if a debugger is present.25
S1039 Bumblebee Bumblebee can search for tools used in static analysis.33
S1111 DarkGate DarkGate checks the BeingDebugged flag in the PEB structure during execution to identify if the malware is being debugged.15
S1066 DarkTortilla DarkTortilla can detect debuggers by using functions such as DebuggerIsAttached and DebuggerIsLogging. DarkTortilla can also detect profilers by verifying the COR_ENABLE_PROFILING environment variable is present and active.30
S0694 DRATzarus DRATzarus can use IsDebuggerPresent to detect whether a debugger is present on a victim.24
S1160 Latrodectus
Latrodectus has the ability to check for the presence of debuggers.32
S1202 LockBit 3.0 LockBit 3.0 can check heap memory parameters for indications of a debugger and stop the flow of events to the attached debugger in order to hinder dynamic analysis.29
S1213 Lumma Stealer Lumma Stealer has checked for debugger strings by invoking GetForegroundWindow and looks for strings containing “x32dbg”, “x64dbg”, “windbg”, “ollydbg”, “dnspy”, “immunity debugger”, “hyperdbg”, “debug”, “debugger”, “cheat engine”, “cheatengine” and “ida”.11
S1060 Mafalda Mafalda can search for debugging tools on a compromised host.31
G0129 Mustang Panda Mustang Panda has embedded debug strings with messages to distract analysts.23 Mustang Panda has also made calls to Windows API CheckRemoteDebuggerPresent and exits if it detects a debugger.12
C0022 Operation Dream Job During Operation Dream Job, Lazarus Group used tools that used the IsDebuggerPresent call to detect debuggers.24
S1145 Pikabot Pikabot features several methods to evade debugging by analysts, including checks for active debuggers, the use of breakpoints during execution, and checking various system information items such as system memory and the number of processors.161718
S0013 PlugX PlugX has made calls to Windows API CheckRemoteDebuggerPresent and exits if it detects a debugger.12
S1228 PUBLOAD PUBLOAD has embedded debug strings with messages to distract analysts.2223 PUBLOAD has leveraged OutputDebugStringW and OutputDebugStringA functions.23
S1130 Raspberry Robin Raspberry Robin leverages anti-debugging mechanisms through the use of ThreadHideFromDebugger.28
S0240 ROKRAT ROKRAT can check for debugging tools.202119
S1018 Saint Bot Saint Bot has used is_debugger_present as part of its environmental checks.26
S1200 StealBit StealBit can detect it is being run in the context of a debugger.13
S1183 StrelaStealer StrelaStealer variants include functionality to identify and evade debuggers.14
S0595 ThiefQuest ThiefQuest uses a function named is_debugging to perform anti-debugging logic. The function invokes sysctl checking the returned value of P_TRACED. ThiefQuest also calls ptrace with the PTRACE_DENY_ATTACH flag to prevent debugging.6
S1239 TONESHELL TONESHELL has leveraged custom exception handlers to hide code flow and stop execution of a debugger.23
S1207 XLoader XLoader uses anti-debugging mechanisms such as calling NtQueryInformationProcess with InfoClass=7, referencing ProcessDebugPort, to determine if it is being analyzed.27

References

  1. Apriorit. (2024, June 4). Anti Debugging Protection Techniques with Examples. Retrieved March 4, 2025. 

  2. Check Point Research. (2021, January 4). Stopping Serial Killer: Catching the Next Strike. Retrieved September 7, 2021. 

  3. hasherezade. (2021, June 30). Module 3 - Understanding and countering malware’s evasion and self-defence. Retrieved April 1, 2022. 

  4. jbowen. (2023, December 4). P2Pinfect - New Variant Targets MIPS Devices. Retrieved March 18, 2025. 

  5. Noteworthy. (2019, January 6). Al-Khaser. Retrieved April 1, 2022. 

  6. Patrick Wardle. (2020, July 3). OSX.EvilQuest Uncovered part ii: insidious capabilities. Retrieved March 21, 2021. 

  7. ProcessHacker. (2009, October 27). Process Hacker. Retrieved April 11, 2022. 

  8. PT Expert Security Center. (2023, November 29). Hellhounds: operation Lahat. Retrieved March 18, 2025. 

  9. vxunderground. (2021, June 30). VX-API. Retrieved April 1, 2022. 

  10. Jornet, A. (2021, December 23). Snip3, an investigation into malware. Retrieved September 19, 2023. 

  11. Cara Lin, Fortinet. (2024, January 8). Deceptive Cracked Software Spreads Lumma Variant on YouTube. Retrieved March 22, 2025. 

  12. Secureworks Counter Threat Unit Research Team. (2022, September 8). BRONZE PRESIDENT Targets Government Officials. Retrieved September 9, 2025. 

  13. Cybereason Global SOC Team. (n.d.). THREAT ANALYSIS REPORT: Inside the LockBit Arsenal - The StealBit Exfiltration Tool. Retrieved January 29, 2025. 

  14. Fortgale. (2023, September 18). StrelaStealer Malware Analysis. Retrieved December 31, 2024. 

  15. Ernesto Fernández Provecho, Pham Duy Phuc, Ciana Driscoll & Vinoo Thomas. (2023, November 21). The Continued Evolution of the DarkGate Malware-as-a-Service. Retrieved February 9, 2024. 

  16. Brett Stone-Gross & Nikolaos Pantazopoulos. (2023, May 24). Technical Analysis of Pikabot. Retrieved July 12, 2024. 

  17. Daniel Stepanic & Salim Bitam. (2024, February 23). PIKABOT, I choose you!. Retrieved July 12, 2024. 

  18. Swachchhanda Shrawan Poudel. (2024, February). Pikabot: 
 A Sophisticated and Modular Backdoor Trojan with Advanced Evasion Techniques. Retrieved July 12, 2024. 

  19. Jazi, Hossein. (2021, January 6). Retrohunting APT37: North Korean APT used VBA self decode technique to inject RokRat. Retrieved March 22, 2022. 

  20. Mercer, W., Rascagneres, P. (2018, January 16). Korea In The Crosshairs. Retrieved May 21, 2018. 

  21. Pantazopoulos, N.. (2018, November 8). RokRat Analysis. Retrieved May 21, 2020. 

  22. Asheer Malhotra, Jungsoo An, Kendall Mc. (2022, May 5). Mustang Panda deploys a new wave of malware targeting Europe. Retrieved August 4, 2025. 

  23. Nick Dai, Vickie Su, Sunny Lu. (2022, November 18). Earth Preta Spear-Phishing Governments Worldwide. Retrieved August 4, 2025. 

  24. ClearSky Research Team. (2020, August 13). Operation ‘Dream Job’ Widespread North Korean Espionage Campaign. Retrieved December 20, 2021. 

  25. Check Point. (2022, October 20). BLACK BASTA AND THE UNNOTICED DELIVERY. Retrieved March 8, 2023. 

  26. Hasherezade. (2021, April 6). A deep dive into Saint Bot, a new downloader. Retrieved June 9, 2022. 

  27. Nart Villeneuve, Randi Eitzman, Sandor Nemes & Tyler Dean, Google Cloud. (2017, October 5). Significant FormBook Distribution Campaigns Impacting the U.S. and South Korea. Retrieved March 11, 2025. 

  28. Christopher So. (2022, December 20). Raspberry Robin Malware Targets Telecom, Governments. Retrieved May 17, 2024. 

  29. Walter, J. (2022, July 21). LockBit 3.0 Update | Unpicking the Ransomware’s Latest Anti-Analysis and Evasion Techniques. Retrieved February 5, 2025. 

  30. Secureworks Counter Threat Unit Research Team. (2022, August 17). DarkTortilla Malware Analysis. Retrieved November 3, 2022. 

  31. SentinelLabs. (2022, September 22). Metador Technical Appendix. Retrieved April 4, 2023. 

  32. Proofpoint Threat Research and Team Cymru S2 Threat Research. (2024, April 4). Latrodectus: This Spider Bytes Like Ice . Retrieved May 31, 2024. 

  33. Salem, A. (2022, April 27). The chronicles of Bumblebee: The Hook, the Bee, and the Trickbot connection. Retrieved September 2, 2022.