T1027.002: T1027.002

Search IOCs, vulnerabilities, APT…

216.73.216.109

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 16/12/2025 19:38 · Modified 27/03/2026 01:12

Essential information

MITRE technique ID: T1027.002
Confidence: 100/100
Revoked: No
Published: 16/12/2025 19:38
Modified: 27/03/2026 01:12
Author / Source: The MITRE Corporation

Aliases

Software Packing

Platforms

windows macos linux

Description

Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.(Citation: ESET FinFisher Jan 2018) Utilities used to perform software packing are called packers. Example packers are MPRESS and UPX. A more comprehensive list of known packers is available, but adversaries may create their own packing techniques that do not leave the same artifacts as well-known packers to evade defenses.(Citation: Awesome Executable Packing)

Kill chain phases

Kill chain	Phase
mitre-attack	defense-evasion

Marking (TLP)

External references

Awesome Executable Packing
ESET FinFisher Jan 2018
mitre-attack (T1027.002)

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (67)

Rocke uses

The MITRE Corporation Confidence 100

[Rocke](https://attack.mitre.org/groups/G0106) is an alleged Chinese-speaking adversary whose primary objective appeared to be cryptojacking, or stealing victim system resources for the purposes of mining cryptocurrency. The name [Rocke](https://attack.mitre.org/groups/G0106) comes…

First seen 01/01/1970 · Last seen 16/11/5138 ·
ITG05 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
ischhfd83 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
UAC-0063 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Chinese APTs uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
STARDUST CHOLLIMA uses NICKEL GLADSTONEBeagleBoyz

The MITRE Corporation Confidence 100

[APT38](https://attack.mitre.org/groups/G0082) is a North Korean state-sponsored threat group that specializes in financial cyber operations; it has been attributed to the Reconnaissance General Bureau.(Citation: CISA AA20-239A BeagleBoyz August 2020)…

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT31 uses Violet TyphoonZIRCONIUM

The MITRE Corporation Confidence 100

[ZIRCONIUM](https://attack.mitre.org/groups/G0128) is a threat group operating out of China, active since at least 2017, that has targeted individuals associated with the 2020 US presidential election and prominent leaders…

First seen 01/01/1970 · Last seen 16/11/5138 ·
MuddyWater uses Earth VetalaStatic Kitten

The MITRE Corporation Confidence 100

[MuddyWater](https://attack.mitre.org/groups/G0069) is a cyber espionage group assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS).(Citation: CYBERCOM Iranian Intel Cyber January 2022) Since at…

First seen 01/01/1970 · Last seen 16/11/5138 ·
play uses

The MITRE Corporation Confidence 100

Initially observed in June 2022, the Play ransomware (a.k.a PlayCrypt) operates through double extortion, targeting numerous organizations in Latin America. Its Initial Access method is quite similar to…

First seen 01/01/1970 · Last seen 16/11/5138 ·
VasyGrek uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
INC uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
TA2541 uses

The MITRE Corporation Confidence 100

[TA2541](https://attack.mitre.org/groups/G1018) is a cybercriminal group that has been targeting the aviation, aerospace, transportation, manufacturing, and defense industries since at least 2017. [TA2541](https://attack.mitre.org/groups/G1018) campaigns are typically high volume and…

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 6

1–12 of 67

Mzmess uses

Family
LokiBot uses

Family
LucidRook uses

Family
PLUSDROP uses

Family
VBCloud uses

Family
ComRAT - S0126 uses
QUIETCANARY uses

Family The MITRE Corporation Confidence 100

[QUIETCANARY](https://attack.mitre.org/software/S1076) is a backdoor tool written in .NET that has been used since at least 2022 to gather and exfiltrate data from victim networks.(Citation: Mandiant Suspected Turla Campaign…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Endico uses

Family
Casbaneiro uses

Family
PetitPotato uses

Family
Daserf uses
Trojan.Karagany uses

← Previous

Page / 8

1–12 of 95

From PostCSS Masquerading to Windows RAT related

AlienVault Confidence 100 20 MITREs 9 IOCs 3 Observables
Twitter Feed - nextronresearch - 17-06-2026 related

AlienVault Confidence 100 14 MITREs 1 Malware 4 IOCs 1 APT
From emerging threat to top-tier ransomware-as-a-service: The evolution … related

AlienVault Confidence 100 4 CVEs 19 MITREs 4 Malwares 25 IOCs 25 Observables 1 APT
Interlock and Rhysida within the Ransomware Ecosystem related

2 CVEs 22 MITREs 24 Malwares 102 Observables 1 APT
Targeted espionage against Cambodian government entities related

AlienVault Confidence 100 18 MITREs 3 Malwares 8 IOCs 8 Observables 1 APT
Technical Analysis of MLTBackdoor related

AlienVault Confidence 100 19 MITREs 1 Malware 34 IOCs 34 Observables
VerdantBamboo: Just Another BRICKSTORM in the Firewall related

19 MITREs 3 Malwares 32 Observables 1 APT
Operation TaxShadow: Multi-Region Tax Phishing & In-Memory Malware … related

19 MITREs 5 Observables
Phishing Campaign Deploys JavaScript-Driven PureLogs Variant to Steal … related

AlienVault Confidence 100 23 MITREs 1 Malware 8 IOCs 8 Observables
RemotePE: The Lazarus RAT that lives in memory related

20 MITREs 6 Malwares 10 Observables 1 APT
Misconfigured, Enrolled and Dormant: Anatomy of a P2Pinfect … related

3 CVEs 20 MITREs 1 Malware 25 Observables
Popular node-ipc npm Package Infected with Credential Stealer related

AlienVault Confidence 100 20 MITREs 1 Malware 10 IOCs 10 Observables

← Previous

Page / 5

1–12 of 50

Vulnerabilities (CVE) (75)

CVE-2025-0994 KEV targets

8.8 High

Trimble Cityworks versions prior to 15.8.9 and Cityworks with office companion versions prior to 23.10 are vulnerable to a deserialization vulnerability. This …

Attack vector: Network
Published: 07/02/2025
Modified: 21/12/2025

Analyzed

CVE-2013-3307 targets

8.3 High

Linksys E1000 devices through 2.1.02, E1200 devices before 2.0.05, and E3200 devices through 1.0.04 allow OS command injection via shell metacharacters in …

Attack vector: NETWORK
Published: 11/07/2025
Modified: 21/12/2025

CVE-2023-3466 targets

8.3 High

Reflected Cross-Site Scripting (XSS)

Attack vector: NETWORK
Published: 19/07/2023
Modified: 21/12/2025

CVE-2025-7775 KEV targets

9.2 Critical

Memory overflow vulnerability leading to Remote Code Execution and/or Denial of Service in NetScaler ADC and NetScaler Gateway when NetScaler is configured …

Attack vector: Network
Published: 26/08/2025
Modified: 27/05/2026

Analyzed

CVE-2023-3467 targets

8.0 High

Privilege Escalation to root administrator (nsroot)

Attack vector: ADJACENT_NETWORK
Published: 19/07/2023
Modified: 21/12/2025

CVE-2024-46483 targets

9.8 Critical

Xlight FTP Server <3.9.4.3 has an integer overflow vulnerability in the packet parsing logic of the SFTP server, which can lead to …

Attack vector: NETWORK
Published: 23/10/2024
Modified: 21/12/2025

Awaiting Analysis

CVE-2017-5638 targets

CVE-2012-1856 KEV targets

8.8 High

The TabStrip ActiveX control in the Common Controls in MSCOMCTL.OCX in Microsoft Office allows remote attackers to execute arbitrary code via a …

Attack vector: NETWORK
Complexity: LOW
Published: 15/08/2012
Modified: 27/04/2026

CVE-2023-46747 KEV targets

9.8 Critical

F5 BIG-IP Configuration utility contains an authentication bypass using an alternate path or channel vulnerability due to undisclosed requests that may allow …

Attack vector: Network
Published: 31/10/2023
Modified: 21/12/2025

CVE-2018-0802 KEV targets

Microsoft Office contains a memory corruption vulnerability due to the way objects are handled in memory. Successful exploitation allows for remote code …

Published: 03/11/2021
Modified: 20/12/2025

CVE-2024-3721 targets

6.3 Medium

A vulnerability was found in TBK DVR-4104 and DVR-4216 up to 20240412 and classified as critical. This issue affects some unknown processing …

Attack vector: NETWORK
Published: 13/04/2024
Modified: 21/12/2025

CVE-2023-42793 KEV targets

9.8 Critical

JetBrains TeamCity contains an authentication bypass vulnerability that allows for remote code execution on TeamCity Server.

Attack vector: Network
Published: 04/10/2023
Modified: 29/05/2026

← Previous

Page / 7

1–12 of 75

T1027 subtechnique-of

Obfuscated Files or Information MITRE

Campaign (3)

Night Dragon uses
Operation Spalax uses
SharePoint ToolShell Exploitation uses

Contact About Legal notice Privacy policy Terms of use