1. Home
  2. Techniques
  3. Enterprise
  4. Obfuscated Files or Information
  5. Dynamic API Resolution

Obfuscated Files or Information: Dynamic API Resolution

ID Name
T1027.001 Binary Padding
T1027.002 Software Packing
T1027.003 Steganography
T1027.004 Compile After Delivery
T1027.005 Indicator Removal from Tools
T1027.006 HTML Smuggling
T1027.007 Dynamic API Resolution
T1027.008 Stripped Payloads
T1027.009 Embedded Payloads
T1027.010 Command Obfuscation
T1027.011 Fileless Storage
T1027.012 LNK Icon Smuggling
T1027.013 Encrypted/Encoded File
T1027.014 Polymorphic Code
T1027.015 Compression
T1027.016 Junk Code Insertion
T1027.017 SVG Smuggling

Adversaries may obfuscate then dynamically resolve API functions called by their malware in order to conceal malicious functionalities and impair defensive analysis. Malware commonly uses various Native API functions provided by the OS to perform various tasks such as those involving processes, files, and other system artifacts.

API functions called by malware may leave static artifacts such as strings in payload files. Defensive analysts may also uncover which functions a binary file may execute via an import address table (IAT) or other structures that help dynamically link calling code to the shared modules that provide functions.[1][2]

To avoid static or other defensive analysis, adversaries may use dynamic API resolution to conceal malware characteristics and functionalities. Similar to Software Packing, dynamic API resolution may change file signatures and obfuscate malicious API function calls until they are resolved and invoked during runtime.

Various methods may be used to obfuscate malware calls to API functions. For example, hashes of function names are commonly stored in malware in lieu of literal strings. Malware can use these hashes (or other identifiers) to manually reproduce the linking and loading process using functions such as GetProcAddress() and LoadLibrary(). These hashes/identifiers can also be further obfuscated using encryption or other string manipulation tricks (requiring various forms of Deobfuscate/Decode Files or Information during execution).[3][4][1]

ID: T1027.007
Sub-technique of:  T1027
Tactic: Defense Evasion
Platforms: Windows
Version: 1.0
Created: 22 August 2022
Last Modified: 15 April 2025
Version Permalink

Procedure Examples

ID Name Description
S1053 AvosLocker

AvosLocker has used obfuscated API calls that are retrieved by their checksums.[5]
S0534 Bazar

Bazar can hash then resolve API calls at runtime.[6][7]
S1063 Brute Ratel C4

Brute Ratel C4 can call and dynamically resolve hashed APIs.[8]
S1237 CANONSTAGER

CANONSTAGER has utilized custom API hashing to obfuscate the Windows APIs being used.[9]
S1149 CHIMNEYSWEEP

CHIMNEYSWEEP can use LoadLibrary and GetProcAddress to resolve Windows API function strings at run time.[10]
S1236 CLAIMLOADER

CLAIMLOADER has utilized XOR-encrypted API names and native APIs of LdrLoadDll() and LderGetProcedureAddress() to resolve imports dynamically.[11][12]
S1160 Latrodectus

Latrodectus can resolve Windows APIs dynamically by hash.[13]
G0032 Lazarus Group

Lazarus Group has used a custom hashing method to resolve APIs used in shellcode.[14]
G0129 Mustang Panda

Mustang Panda has leveraged obfuscated Windows API function calls that were concealed as unique names, or hashes of the Windows API.[15]
S0013 PlugX

PlugX has leveraged obfuscated Windows API function calls that were concealed as unique names, or hashes of the Windows API.[15]
S0147 Pteranodon

Pteranodon can use a dynamic Windows hashing algorithm to map API components.[16]
S1148 Raccoon Stealer

Raccoon Stealer dynamically links key WinApi functions during execution.[17][18]
S1099 Samurai

Samurai can encrypt API name strings with an XOR-based algorithm.[19]
S1232 SplatDropper

SplatDropper has leveraged hashed Windows API calls using a seed value of "131313".[20]
S1239 TONESHELL

TONESHELL has utilized a modified DJB2 algorithm to resolve APIs.[21]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0091 Detection Strategy for Dynamic API Resolution via Hash-Based Function Lookups AN0250

Behavioral chain involving suspicious use of GetProcAddress and LoadLibrary following memory allocation and manual mapping, often paired with low entropy strings, abnormal API use without static import tables, or delayed module load behaviors.

References

  1. Brennan, M. (2022, February 16). Hackers No Hashing: Randomizing API Hashes to Evade Cobalt Strike Shellcode Detection. Retrieved August 22, 2022.
  2. spotheplanet. (n.d.). Windows API Hashing in Malware. Retrieved August 22, 2022.
  3. Choi, S. (2015, August 6). Obfuscated API Functions in Modern Packers. Retrieved August 22, 2022.
  4. drakonia. (2022, August 10). HInvoke and avoiding PInvoke. Retrieved August 22, 2022.
  5. Hasherezade. (2021, July 23). AvosLocker enters the ransomware scene, asks for partners. Retrieved January 11, 2023.
  6. Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9’S DEVELOPMENT CYCLES. Retrieved November 18, 2020.
  7. Pantazopoulos, N. (2020, June 2). In-depth analysis of the new Team9 malware family. Retrieved December 1, 2020.
  8. Harbison, M. and Renals, P. (2022, July 5). When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors. Retrieved February 1, 2023.
  9. Patrick Whitsell. (2025, August 25). Deception in Depth: PRC-Nexus Espionage Campaign Hijacks Web Traffic to Target Diplomats. Retrieved September 9, 2025.
  10. Jenkins, L. at al. (2022, August 4). ROADSWEEP Ransomware - Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations. Retrieved August 6, 2024.
  11. Golo Muhr, Joshua Chung. (2025, June 23). Hive0154 aka Mustang Panda shifts focus on Tibetan community to deploy Pubload backdoor. Retrieved August 4, 2025.
  1. Golo Muhr, Joshua Chung. (2025, May 15). Hive0154 targeting US, Philippines, Pakistan and Taiwan in suspected espionage campaign. Retrieved August 4, 2025.
  2. Proofpoint Threat Research and Team Cymru S2 Threat Research. (2024, April 4). Latrodectus: This Spider Bytes Like Ice . Retrieved May 31, 2024.
  3. Saini, A. and Hossein, J. (2022, January 27). North Korea’s Lazarus APT leverages Windows Update client, GitHub in latest campaign. Retrieved January 27, 2022.
  4. Alexandre Cote Cyr. (2022, March 23). Mustang Panda’s Hodur: Old tricks, new Korplug variant. Retrieved September 9, 2025.
  5. Microsoft Threat Intelligence Center. (2022, February 4). ACTINIUM targets Ukrainian organizations. Retrieved February 18, 2022.
  6. Quentin Bourgue, Pierre le Bourhis, & Sekoia TDR. (2022, June 28). Raccoon Stealer v2 - Part 1: The return of the dead. Retrieved August 1, 2024.
  7. Pierre Le Bourhis, Quentin Bourgue, & Sekoia TDR. (2022, June 29). Raccoon Stealer v2 - Part 2: In-depth analysis. Retrieved August 1, 2024.
  8. Dedola, G. (2022, June 21). APT ToddyCat. Retrieved January 3, 2024.
  9. Sudeep Singh. (2025, April 16). Latest Mustang Panda Arsenal: PAKLOG, CorKLOG, and SplatCloak | P2. Retrieved September 12, 2025.
  10. Sudeep Singh. (2025, April 16). Latest Mustang Panda Arsenal: ToneShell and StarProxy | P1. Retrieved July 21, 2025.