T1027.001: T1027.001

Search IOCs, vulnerabilities, APT…

216.73.216.233

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 16/12/2025 19:38 · Modified 27/03/2026 01:09

Essential information

MITRE technique ID: T1027.001
Confidence: 100/100
Revoked: No
Published: 16/12/2025 19:38
Modified: 27/03/2026 01:09
Author / Source: The MITRE Corporation

Aliases

Binary Padding

Platforms

windows macos linux

Description

Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This can be done without affecting the functionality or behavior of a binary, but can increase the size of the binary beyond what some security tools are capable of handling due to file size limitations. Binary padding effectively changes the checksum of the file and can also be used to avoid hash-based blocklists and static anti-virus signatures.(Citation: ESET OceanLotus) The padding used is commonly generated by a function to create junk data and then appended to the end or applied to sections of malware.(Citation: Securelist Malware Tricks April 2017) Increasing the file size may decrease the effectiveness of certain tools and detection capabilities that are not designed or configured to scan large files. This may also reduce the likelihood of being collected for analysis. Public file scanning services, such as VirusTotal, limits the maximum size of an uploaded file to be analyzed.(Citation: VirusTotal FAQ)

Kill chain phases

Kill chain	Phase
mitre-attack	defense-evasion

Marking (TLP)

External references

mitre-attack (T1027.001)
Securelist Malware Tricks April 2017
VirusTotal FAQ
ESET OceanLotus

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (29)

BlackBasta uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
SLOW#TEMPEST uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
LummaStealer uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT41 uses Wicked PandaBrass Typhoon

The MITRE Corporation Confidence 100

[APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed…

First seen 01/01/1970 · Last seen 16/11/5138 ·
UNC3886 uses

The MITRE Corporation Confidence 100

[UNC3886](https://attack.mitre.org/groups/G1048) is a China-nexus cyberespionage group that has been active since at least 2022, targeting defense, technology, and telecommunication organizations located in the United States and the Asia-Pacific-Japan…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Kimsuky uses Black BansheeVelvet Chollima

The MITRE Corporation Confidence 100

[Kimsuky](https://attack.mitre.org/groups/G0094) is a North Korea-based cyber espionage group that has been active since at least 2012. The group initially targeted South Korean government agencies, think tanks, and subject-matter…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Storm-0494 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Magic Hound uses COBALT ILLUSIONITG18

The MITRE Corporation Confidence 100

[Magic Hound](https://attack.mitre.org/groups/G0059) is an Iranian-sponsored threat group that conducts long term, resource-intensive cyber espionage operations, likely on behalf of the Islamic Revolutionary Guard Corps. They have targeted European,…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Patchwork uses Hangover GroupChinastrats

The MITRE Corporation Confidence 100

[Patchwork](https://attack.mitre.org/groups/G0040) is a cyber espionage group that was first observed in December 2015. While the group has not been definitively attributed, circumstantial evidence suggests the group may be…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Hive0145 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Transparent Tribe uses COPPER FIELDSTONEMythic Leopard

The MITRE Corporation Confidence 100

[Transparent Tribe](https://attack.mitre.org/groups/G0134) is a suspected Pakistan-based threat group that has been active since at least 2013, primarily targeting diplomatic, defense, and research organizations in India and Afghanistan.(Citation: Proofpoint…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Raspberry Robin uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 3

1–12 of 29

Meduza uses

Family
Gremlin stealer uses

Family
REPTILE uses

Family
WormGPT uses

Family
ScatterBrain uses

Family
DeedRAT uses

Family
FormBook uses

Family
Comnie uses
PLUSINJECT uses

Family
Global Socket uses

Family
POISONPLUG.SHADOW uses

Family
Strela Stealer uses

Family

← Previous

Page / 10

1–12 of 111

Investigation of email-based attack delivering MediaFire ZIP file … related

AlienVault Confidence 100 14 MITREs 1 Malware 4 IOCs 4 Observables
Inside OnyxC2: The New Stealer Targeting 210 Apps related

15 MITREs 1 Malware 4 Observables
Threat landscape — Belgium related

Confidence 100 18 CVEs 200 MITREs 200 Malwares 20 APTs 26 Tools
Gremlin Stealer's Evolved Tactics: Hiding in Plain Sight … related

AlienVault Confidence 100 20 MITREs 5 Malwares 12 IOCs 12 Observables
Attack Activity Analysis Using SSH+TOR Tunnels for Covert … related

19 MITREs 10 Observables 1 APT
Tracing a Multi-Vector Malware Campaign: From VBS to … related

18 MITREs 5 Malwares 28 Observables
Technical Analysis of GuLoader Obfuscation Techniques related

14 MITREs 2 Malwares 6 Observables
Multi-Platform Ransomware Written in Rust related

1 CVE 12 MITREs 2 Malwares 3 Observables 1 APT
Technical Analysis of Matanbuchus 3.0 related

20 MITREs 1 Malware 5 Observables
Learn about ChillyHell, a modular Mac backdoor related

13 MITREs 1 APT
Evolving Tactics of SLOW#TEMPEST: A Deep Dive Into … related

6 MITREs 1 APT
Malware Analysis Reveals Sophisticated RAT With Corrupted Headers related

13 MITREs 1 Malware

← Previous

Page / 3

1–12 of 34

Vulnerabilities (CVE) (8)

CVE-2024-38196 targets

7.8 High

Windows Common Log File System Driver Elevation of Privilege Vulnerability

Attack vector: LOCAL
Published: 13/08/2024
Modified: 21/12/2025

Received

CVE-2024-26229 targets

CVE-2025-21590 KEV targets

4.4 Medium

An Improper Isolation or Compartmentalization vulnerability in the kernel of Juniper Networks Junos OS allows a local attacker with high privileges to …

Attack vector: Local
Published: 13/03/2025
Modified: 21/12/2025

Awaiting Analysis

CVE-2021-31969 targets

CVE-2025-22457 KEV targets

9.0 Critical

A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.6, Ivanti Policy Secure before version 22.7R1.4, and Ivanti ZTA Gateways before …

Attack vector: Network
Published: 04/04/2025
Modified: 21/12/2025

Received

CVE-2019-11580 KEV targets

Atlassian Crowd and Crowd Data Center contain a remote code execution vulnerability resulting from a pdkinstall development plugin being incorrectly enabled in …

Published: 03/11/2021
Modified: 21/12/2025

CVE-2022-41328 KEV targets

6.7 Medium

Fortinet FortiOS contains a path traversal vulnerability that may allow a local privileged attacker to read and write files via crafted CLI …

Attack vector: Local
Published: 14/03/2023
Modified: 21/12/2025

CVE-2025-55182 KEV targets

10.0 Critical

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, …

Attack vector: Network
Published: 05/12/2025
Modified: 29/05/2026

Analyzed

Attack patterns (MITRE) (1)

T1027 subtechnique-of

Obfuscated Files or Information MITRE

Contact About Legal notice Privacy policy Terms of use