Obfuscated Files or Information: Embedded Payloads

Adversaries may embed payloads within other files to conceal malicious content from defenses. Otherwise seemingly benign files (such as scripts and executables) may be abused to carry and obfuscate malicious payloads and content. In some cases, embedded payloads may also enable adversaries to Subvert Trust Controls by not impacting execution controls such as digital signatures and notarization tickets.[1]

Adversaries may embed payloads in various file formats to hide payloads.[2] This is similar to Steganography, though does not involve weaving malicious content into specific bytes and patterns related to legitimate digital media formats.[3]

For example, adversaries have been observed embedding payloads within or as an overlay of an otherwise benign binary.[4] Adversaries have also been observed nesting payloads (such as executables and run-only scripts) inside a file of the same format.[5]

Embedded content may also be used as Process Injection payloads used to infect benign system processes.[6] These embedded then injected payloads may be used as part of the modules of malware designed to provide specific features such as encrypting C2 communications in support of an orchestrator module. For example, an embedded module may be injected into default browsers, allowing adversaries to then communicate via the network.[7]

ID: T1027.009
Sub-technique of:  T1027
Tactic: Defense Evasion
Platforms: Linux, Windows, macOS
System Requirements: User
Contributors: Nick Cairns, @grotezinfosec
Version: 1.0
Created: 30 September 2022
Last Modified: 21 October 2022

Procedure Examples

ID Name Description
S0126 ComRAT

ComRAT has embedded a XOR encrypted communications module inside the orchestrator module.[8][9]

S0567 Dtrack

Dtrack has used a dropper that embeds an encrypted payload as extra data.[10]

S0231 Invoke-PSImage

Invoke-PSImage can be used to embed payload data within a new image file.[3]

S1048 macOS.OSAMiner

macOS.OSAMiner has embedded Stripped Payloads within another run-only Stripped Payloads.[5]


The SMOKEDHAM source code is embedded in the dropper as an encrypted string.[11]


ID Mitigation Description
M1049 Antivirus/Antimalware

Anti-virus can be used to automatically detect and quarantine suspicious files.

M1040 Behavior Prevention on Endpoint

On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent execution of potentially obfuscated scripts.[12]


ID Data Source Data Component Detects
DS0022 File File Creation

Monitor for newly constructed files containing large amounts of data. Abnormal file sizes may be an indicator of embedded content.

File Metadata

Monitor contextual data about a file that may highlight embedded payloads, which may include information such as name, the content (ex: signature, headers, or data/media), file size, etc.; correlate with other suspicious behavior to reduce false positives.