216.73.217.121

T1127.003: JamPlus

View on MITRE ATT&CK The MITRE Corporation · Published 16/12/2025 19:38 · Modified 27/03/2026 01:10

Essential information

MITRE technique ID
T1127.003
Confidence
100/100
Revoked
No
Published
16/12/2025 19:38
Modified
27/03/2026 01:10
Author / Source
The MITRE Corporation

Platforms

windows

Description

Adversaries may use `JamPlus` to proxy the execution of a malicious script. `JamPlus` is a build utility tool for code and data build systems. It works with several popular compilers and can be used for generating workspaces in code editors such as Visual Studio.(Citation: JamPlus manual) Adversaries may abuse the `JamPlus` build utility to execute malicious scripts via a `.jam` file, which describes the build process and required dependencies. Because the malicious script is executed from a reputable developer tool, it may subvert application control security systems such as Smart App Control.(Citation: Cyble)(Citation: Elastic Security Labs)

Kill chain phases

Kill chainPhase
mitre-attack defense-evasion

Marking (TLP)

Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.

External references

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.