216.73.217.22

T1027.016: Junk Code Insertion

View on MITRE ATT&CK The MITRE Corporation · Published 16/12/2025 19:38 · Modified 27/03/2026 01:10

Essential information

MITRE technique ID
T1027.016
Confidence
100/100
Revoked
No
Published
16/12/2025 19:38
Modified
27/03/2026 01:10
Author / Source
The MITRE Corporation

Platforms

windows macos linux

Description

Adversaries may use junk code / dead code to obfuscate a malware’s functionality. Junk code is code that either does not execute, or if it does execute, does not change the functionality of the code. Junk code makes analysis more difficult and time-consuming, as the analyst steps through non-functional code instead of analyzing the main code. It also may hinder detections that rely on static code analysis due to the use of benign functionality, especially when combined with [Compression](https://attack.mitre.org/techniques/T1027/015) or [Software Packing](https://attack.mitre.org/techniques/T1027/002).(Citation: ReasonLabs)(Citation: ReasonLabs Cyberpedia Junk Code) No-Operation (NOP) instructions are an example of dead code commonly used in x86 assembly language. They are commonly used as the 0x90 opcode. When NOPs are added to malware, the disassembler may show the NOP instructions, leading to the analyst needing to step through them.(Citation: ReasonLabs) The use of junk / dead code insertion is distinct from [Binary Padding](https://attack.mitre.org/techniques/T1027/001) because the purpose is to obfuscate the functionality of the code, rather than simply to change the malware’s signature.

Kill chain phases

Kill chainPhase
mitre-attack defense-evasion

Marking (TLP)

Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.

External references

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (6)

  • APT-C-36 uses Blind Eagle
    The MITRE Corporation Confidence 100

    [APT-C-36](https://attack.mitre.org/groups/G0099) is a suspected South America espionage group that has been active since at least 2018. The group mainly targets Colombian government institutions as well as important corporations …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 04/05/2026 16:33
  • FIN7 uses GOLD NIAGARAITG14
    The MITRE Corporation Confidence 100

    [FIN7](https://attack.mitre.org/groups/G0046) is a financially-motivated threat group that has been active since 2013. [FIN7](https://attack.mitre.org/groups/G0046) has targeted the retail, restaurant, hospitality, software, consulting, financial services, medical equipment, cloud services, media, …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:13
  • APT32 uses SeaLotusAPT-C-00
    The MITRE Corporation Confidence 100

    [APT32](https://attack.mitre.org/groups/G0050) is a suspected Vietnam-based threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as foreign governments, …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:13
  • Kimsuky uses Black BansheeVelvet Chollima
    The MITRE Corporation Confidence 100

    [Kimsuky](https://attack.mitre.org/groups/G0094) is a North Korea-based cyber espionage group that has been active since at least 2012. The group initially targeted South Korean government agencies, think tanks, and subject-matter …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 04/05/2026 16:33
  • MUSTANG PANDA uses BRONZE PRESIDENTSTATELY TAURUS
    The MITRE Corporation Confidence 100

    [Mustang Panda](https://attack.mitre.org/groups/G0129) is a China-based cyber espionage threat actor that has been conducting operations since at least 2012. [Mustang Panda](https://attack.mitre.org/groups/G0129) has been known to use tailored phishing lures …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 22/05/2026 04:12
  • Gamaredon Group uses IRON TILDENPrimitive Bear
    The MITRE Corporation Confidence 100

    [Gamaredon Group](https://attack.mitre.org/groups/G0047) is a suspected Russian cyber espionage group that has targeted military, law enforcement, judiciary, non-profit, and non-governmental organizations in Ukraine since at least 2013. The name …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 04/05/2026 16:33

Malware (18)

  • WastedLocker
  • Maze
  • StrelaStealer uses
    Family
    Published 25/06/2024 13:07 · Modified 25/06/2024 13:07
  • ANELLDR uses
    Family
    Published 27/11/2024 18:31 · Modified 27/11/2024 18:31
  • CORESHELL
  • SamSam
  • ZeroT
  • POWERSTATS
  • PureCrypter uses
    Family
    Published 10/10/2025 08:25 · Modified 10/10/2025 08:25
  • Gelsemium
  • FatDuke
  • Goopy
  • LODEINFO uses
    Family
    Published 19/11/2024 09:19 · Modified 19/11/2024 09:19
  • yty
  • FinFisher
  • Pony
  • XTunnel
  • NOOPLDR uses
    Family
    Published 07/10/2024 19:59 · Modified 07/10/2024 19:59

Reports (1)

  • Threat landscape — Belgium related
    Confidence 100 18 CVEs 200 MITREs 200 Malwares 20 APTs 26 Tools
    Published 29/05/2026 11:51 · threat-report

Attack patterns (MITRE) (1)

  • T1027 subtechnique-of
    Obfuscated Files or Information

Course Of Action (1)

  • Antivirus/Antimalware mitigates