T1027.001: T1027.001

Search IOCs, vulnerabilities, APT…

216.73.216.233

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 05/02/2020 15:04 · Modified 27/03/2026 01:09

Essential information

MITRE technique ID: T1027.001
Confidence: 100/100
Revoked: No
Published: 05/02/2020 15:04
Modified: 27/03/2026 01:09
Author / Source: The MITRE Corporation

Aliases

Binary Padding

Platforms

windows macos linux

Description

Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This can be done without affecting the functionality or behavior of a binary, but can increase the size of the binary beyond what some security tools are capable of handling due to file size limitations. Binary padding effectively changes the checksum of the file and can also be used to avoid hash-based blocklists and static anti-virus signatures.(Citation: ESET OceanLotus) The padding used is commonly generated by a function to create junk data and then appended to the end or applied to sections of malware.(Citation: Securelist Malware Tricks April 2017) Increasing the file size may decrease the effectiveness of certain tools and detection capabilities that are not designed or configured to scan large files. This may also reduce the likelihood of being collected for analysis. Public file scanning services, such as VirusTotal, limits the maximum size of an uploaded file to be analyzed.(Citation: VirusTotal FAQ)

Kill chain phases

Kill chain	Phase
mitre-attack	defense-evasion

Marking (TLP)

External references

mitre-attack (T1027.001)
Securelist Malware Tricks April 2017
VirusTotal FAQ
ESET OceanLotus

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (29)

BlackBasta uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
SLOW#TEMPEST uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
LummaStealer uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT41 uses Wicked PandaBrass Typhoon

The MITRE Corporation Confidence 100

[APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed…

First seen 01/01/1970 · Last seen 16/11/5138 ·
UNC3886 uses

The MITRE Corporation Confidence 100

[UNC3886](https://attack.mitre.org/groups/G1048) is a China-nexus cyberespionage group that has been active since at least 2022, targeting defense, technology, and telecommunication organizations located in the United States and the Asia-Pacific-Japan…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Kimsuky uses Black BansheeVelvet Chollima

The MITRE Corporation Confidence 100

[Kimsuky](https://attack.mitre.org/groups/G0094) is a North Korea-based cyber espionage group that has been active since at least 2012. The group initially targeted South Korean government agencies, think tanks, and subject-matter…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Storm-0494 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Magic Hound uses COBALT ILLUSIONITG18

The MITRE Corporation Confidence 100

[Magic Hound](https://attack.mitre.org/groups/G0059) is an Iranian-sponsored threat group that conducts long term, resource-intensive cyber espionage operations, likely on behalf of the Islamic Revolutionary Guard Corps. They have targeted European,…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Patchwork uses Hangover GroupChinastrats

The MITRE Corporation Confidence 100

[Patchwork](https://attack.mitre.org/groups/G0040) is a cyber espionage group that was first observed in December 2015. While the group has not been definitively attributed, circumstantial evidence suggests the group may be…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Hive0145 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Transparent Tribe uses COPPER FIELDSTONEMythic Leopard

The MITRE Corporation Confidence 100

[Transparent Tribe](https://attack.mitre.org/groups/G0134) is a suspected Pakistan-based threat group that has been active since at least 2013, primarily targeting diplomatic, defense, and research organizations in India and Afghanistan.(Citation: Proofpoint…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Raspberry Robin uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 3

1–12 of 29

Meduza uses

Family
Gremlin stealer uses

Family
REPTILE uses

Family
WormGPT uses

Family
ScatterBrain uses

Family
DeedRAT uses

Family
FormBook uses

Family
Comnie uses
PLUSINJECT uses

Family
Global Socket uses

Family
POISONPLUG.SHADOW uses

Family
Strela Stealer uses

Family

← Previous

Page / 7

1–12 of 77

Mark Your Calendar: APT41 Innovative Tactics related

5 MITREs 5 Malwares 6 Observables 1 APT
Russian Unit 26165 Targets Western Logistics and Technology … related

12 MITREs 1 Malware 10 Observables
Malware or LLM? Silent Werewolf employs new loaders … related

15 MITREs 1 Malware 28 Observables 1 APT
Fileless Execution: PowerShell Based Shellcode Loader Executes Remcos … related

11 MITREs 1 Malware 5 Observables
Stealthy .NET Malware: Hiding Malicious Payloads as Bitmap … related

10 MITREs 3 Malwares
Lampion Is Back With ClickFix Lures related

15 MITREs 1 Malware 10 Observables 1 APT
A Deep Dive into Strela Stealer and how … related

15 MITREs 2 Malwares 1 APT
Ghost in the Router: China-Nexus Espionage Actor UNC3886 … related

3 CVEs 9 MITREs 6 Malwares 14 Observables 1 APT
Melting Pot of macOS Malware Adds Go to … related

11 MITREs 6 Malwares 12 Observables
Unboxing Anubis: Exploring the Stealthy Tactics of FIN7's … related

17 MITREs 1 Malware 1 APT
Booking a Threat: Inside LummaStealer's Fake reCAPTCHA related

8 MITREs 3 Malwares 12 Observables 1 APT
Unmasking the Shadow of PoisonPlug's Obfuscator related

20 MITREs 2 Malwares 2 Observables 1 APT

← Previous

Page / 3

13–24 of 34

Vulnerabilities (CVE) (8)

CVE-2024-38196 targets

7.8 High

Windows Common Log File System Driver Elevation of Privilege Vulnerability

Attack vector: LOCAL
Published: 13/08/2024
Modified: 21/12/2025

Received

CVE-2024-26229 targets

CVE-2025-21590 KEV targets

4.4 Medium

An Improper Isolation or Compartmentalization vulnerability in the kernel of Juniper Networks Junos OS allows a local attacker with high privileges to …

Attack vector: Local
Published: 13/03/2025
Modified: 21/12/2025

Awaiting Analysis

CVE-2021-31969 targets

CVE-2025-22457 KEV targets

9.0 Critical

A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.6, Ivanti Policy Secure before version 22.7R1.4, and Ivanti ZTA Gateways before …

Attack vector: Network
Published: 04/04/2025
Modified: 21/12/2025

Received

CVE-2019-11580 KEV targets

Atlassian Crowd and Crowd Data Center contain a remote code execution vulnerability resulting from a pdkinstall development plugin being incorrectly enabled in …

Published: 03/11/2021
Modified: 21/12/2025

CVE-2022-41328 KEV targets

6.7 Medium

Fortinet FortiOS contains a path traversal vulnerability that may allow a local privileged attacker to read and write files via crafted CLI …

Attack vector: Local
Published: 14/03/2023
Modified: 21/12/2025

CVE-2025-55182 KEV targets

10.0 Critical

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, …

Attack vector: Network
Published: 05/12/2025
Modified: 29/05/2026

Analyzed

Attack patterns (MITRE) (1)

T1027 subtechnique-of

Obfuscated Files or Information MITRE

Contact About Legal notice Privacy policy Terms of use