1. Home
  2. Techniques
  3. Enterprise
  4. Obfuscated Files or Information
  5. Compile After Delivery

Obfuscated Files or Information: Compile After Delivery

ID Name
T1027.001 Binary Padding
T1027.002 Software Packing
T1027.003 Steganography
T1027.004 Compile After Delivery
T1027.005 Indicator Removal from Tools
T1027.006 HTML Smuggling
T1027.007 Dynamic API Resolution
T1027.008 Stripped Payloads
T1027.009 Embedded Payloads
T1027.010 Command Obfuscation
T1027.011 Fileless Storage
T1027.012 LNK Icon Smuggling
T1027.013 Encrypted/Encoded File
T1027.014 Polymorphic Code
T1027.015 Compression
T1027.016 Junk Code Insertion
T1027.017 SVG Smuggling

Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as ilasm.exe[1], csc.exe, or GCC/MinGW.[2]

Source code payloads may also be encrypted, encoded, and/or embedded within other files, such as those delivered as a Phishing. Payloads may also be delivered in formats unrecognizable and inherently benign to the native OS (ex: EXEs on macOS/Linux) before later being (re)compiled into a proper executable binary with a bundled compiler and execution framework.[3]

ID: T1027.004
Sub-technique of:  T1027
Tactic: Defense Evasion
Platforms: Linux, Windows, macOS
Contributors: Liran Ravich, CardinalOps; Praetorian; Ye Yint Min Thu Htut, Offensive Security Team, DBS Bank
Version: 1.2
Created: 16 March 2020
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
S0348 Cardinal RAT

Cardinal RAT and its watchdog component are compiled and executed after being delivered to victims as embedded, uncompiled source code.[4]
S0673 DarkWatchman

DarkWatchman has used the csc.exe tool to compile a C# executable.[5]

S0661 FoggyWeb

FoggyWeb can compile and execute source code sent to the compromised AD FS server via a specific HTTP POST.[6]
G0047 Gamaredon Group

Gamaredon Group has compiled the source code for a downloader directly on the infected system using the built-in Microsoft.CSharp.CSharpCodeProvider class.[7]

G0069 MuddyWater

MuddyWater has used the .NET csc.exe tool to compile executables from downloaded C# code.[2]
S0385 njRAT

njRAT has used AutoIt to compile the payload and main script into a single executable after delivery.[8]
G0106 Rocke

Rocke has compiled malware, delivered to victims as .c files, with the GNU Compiler Collection (GCC).[9]

S1099 Samurai

Samurai can compile and execute downloaded modules at runtime.[10]
G1041 Sea Turtle

Sea Turtle downloaded source code files from remote addresses then compiled them locally via GCC in victim environments.[11]
S0633 Sliver

Sliver includes functionality to retrieve source code and compile locally prior to execution in victim environments.[12]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0501 Detection Strategy for Compile After Delivery - Source Code to Executable Transformation AN1381

Detects compilation activity using csc.exe, ilasm.exe, or msbuild.exe initiated by user-space processes outside typical development environments, followed by execution or network activity from newly written binaries.
AN1382

Detects GCC or Clang invoked on suspicious file paths (e.g., /tmp/, ~/Downloads) with output to executable binaries, followed by execution or outbound traffic from these binaries.
AN1383

Detects non-standard compilation activity via Xcode CLI tools or bundled GCC/MONO packages writing new executable files and executing them outside dev environments (e.g., user Downloads folder).

References

  1. Federico Quattrin, Nick Desler, Tin Tam, & Matthew Rutkoske. (2023, March 16). Hiding in Plain Sight: Monitoring and Testing for Living-Off-the-Land Binaries. Retrieved July 15, 2024.
  2. ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018.
  3. Trend Micro. (2019, February 11). Windows App Runs on Mac, Downloads Info Stealer and Adware. Retrieved April 25, 2019.
  4. Grunzweig, J.. (2017, April 20). Cardinal RAT Active for Over Two Years. Retrieved December 8, 2018.
  5. Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022.
  6. Ramin Nafisi. (2021, September 27). FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor. Retrieved October 4, 2021.
  1. Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020.
  2. Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019.
  3. Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019.
  4. Dedola, G. (2022, June 21). APT ToddyCat. Retrieved January 3, 2024.
  5. Hunt & Hackett Research Team. (2024, January 5). Turkish espionage campaigns in the Netherlands. Retrieved November 20, 2024.
  6. Cybereason Global SOC and Incident Response Team. (n.d.). Sliver C2 Leveraged by Many Threat Actors. Retrieved March 24, 2025.