1. Home
  2. Techniques
  3. Enterprise
  4. Obfuscated Files or Information
  5. Junk Code Insertion

Obfuscated Files or Information: Junk Code Insertion

ID Name
T1027.001 Binary Padding
T1027.002 Software Packing
T1027.003 Steganography
T1027.004 Compile After Delivery
T1027.005 Indicator Removal from Tools
T1027.006 HTML Smuggling
T1027.007 Dynamic API Resolution
T1027.008 Stripped Payloads
T1027.009 Embedded Payloads
T1027.010 Command Obfuscation
T1027.011 Fileless Storage
T1027.012 LNK Icon Smuggling
T1027.013 Encrypted/Encoded File
T1027.014 Polymorphic Code
T1027.015 Compression
T1027.016 Junk Code Insertion
T1027.017 SVG Smuggling

Adversaries may use junk code / dead code to obfuscate a malware’s functionality. Junk code is code that either does not execute, or if it does execute, does not change the functionality of the code. Junk code makes analysis more difficult and time-consuming, as the analyst steps through non-functional code instead of analyzing the main code. It also may hinder detections that rely on static code analysis due to the use of benign functionality, especially when combined with Compression or Software Packing.[1][2]

No-Operation (NOP) instructions are an example of dead code commonly used in x86 assembly language. They are commonly used as the 0x90 opcode. When NOPs are added to malware, the disassembler may show the NOP instructions, leading to the analyst needing to step through them.[1]

The use of junk / dead code insertion is distinct from Binary Padding because the purpose is to obfuscate the functionality of the code, rather than simply to change the malware’s signature.

ID: T1027.016
Sub-technique of:  T1027
Tactic: Defense Evasion
Platforms: Linux, Windows, macOS
Contributors: Joas Antonio dos Santos, @C0d3Cr4zy
Version: 1.0
Created: 04 March 2025
Last Modified: 15 April 2025
Version Permalink

Procedure Examples

ID Name Description
G0050 APT32

APT32 includes garbage code to mislead anti-malware software and researchers.[3][4]
S0137 CORESHELL

CORESHELL contains unused machine instructions in a likely attempt to hinder analysis.[5]
S0512 FatDuke

FatDuke has been packed with junk code and strings.[6]
G0046 FIN7

FIN7 has used random junk code to obfuscate malware code.[7]
S0182 FinFisher

FinFisher contains junk code in its functions in an effort to confuse disassembly programs.[8][9]
G0047 Gamaredon Group

Gamaredon Group has obfuscated .NET executables by inserting junk code.[10]

S0666 Gelsemium

Gelsemium can use junk code to hide functions and evade detection.[11]
S0477 Goopy

Goopy's decrypter have been inflated with junk code in between legitimate API functions, and also included infinite loops to avoid analysis.[12]
G0094 Kimsuky

Kimsuky has obfuscated code by filling scripts with junk code and concatenating strings to hamper analysis and detection.[13]
S0449 Maze

Maze has inserted large blocks of junk code, including some components to decrypt strings and other important information for later in the encryption process.[14]
G0129 Mustang Panda

Mustang Panda has used junk code within their DLL files to hinder analysis.[15][16]
S0453 Pony

Pony obfuscates memory flow by adding junk instructions when executing to make analysis more difficult.[17]

S0223 POWERSTATS

POWERSTATS has used useless code blocks to counter analysis.[18]
S0370 SamSam

SamSam has used garbage code to pad some of its malware components.[19]
S1183 StrelaStealer

StrelaStealer variants have included excessive mathematical functions padding the binary and slowing execution for anti-analysis and sandbox evasion purposes.[20]
S0612 WastedLocker

WastedLocker contains junk code to increase its entropy and hide the actual code.[21]
S0117 XTunnel

A version of XTunnel introduced in July 2015 inserted junk code into the binary in a likely attempt to obfuscate it and bypass security products.[22]
S0248 yty

yty contains junk code in its binary, likely to confuse malware analysts.[23]
S0230 ZeroT

ZeroT has obfuscated DLLs and functions using dummy API calls inserted between real instructions.[24]

Mitigations

ID Mitigation Description
M1049 Antivirus/Antimalware

Anti-virus can be used to automatically detect and quarantine suspicious files. Behavior-based detections, rather than reliance on static code analysis, may help to identify malicious files that rely heavily on junk code.[1]

Detection Strategy

ID Name Analytic ID Analytic Description
DET0322 Detection Strategy for Junk Code Obfuscation with Suspicious Execution Patterns AN0913

Detects the presence of executables with high NOP padding, unusually large binary size for their function, and follow-on execution or memory injection from such files, especially when originating from temp or user-space paths.
AN0914

Detects ELF binaries written to disk that demonstrate anomalous file size or entropy, quickly followed by execution or memory region writes into remote processes (e.g., using ptrace).
AN0915

Identifies Mach-O binaries dropped into temporary directories with abnormally high binary size or padding patterns, followed by privilege escalation, exec, or memory mapping of other processes.

References

  1. ReasonLabs. (n.d.). What is Dead code insertion?. Retrieved March 4, 2025.
  2. What is Junk Code?. (n.d.). ReasonLabs. Retrieved April 4, 2025.
  3. Foltýn, T. (2018, March 13). OceanLotus ships new backdoor using old tricks. Retrieved May 22, 2018.
  4. Dumont, R. (2019, March 20). Fake or Fake: Keeping up with OceanLotus decoys. Retrieved April 1, 2019.
  5. FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
  6. Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.
  7. Abdo, B., et al. (2022, April 4). FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7. Retrieved April 5, 2022.
  8. FinFisher. (n.d.). Retrieved September 12, 2024.
  9. Allievi, A.,Flori, E. (2018, March 01). FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines. Retrieved July 9, 2018.
  10. Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020.
  11. Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021.
  12. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
  1. Den Iuzvyk, Tim Peck. (2025, February 13). Analyzing DEEP#DRIVE: North Korean Threat Actors Observed Exploiting Trusted Platforms for Targeted Attacks. Retrieved August 19, 2025.
  2. Mundo, A. (2020, March 26). Ransomware Maze. Retrieved May 18, 2020.
  3. Alexandre Cote Cyr. (2022, March 23). Mustang Panda’s Hodur: Old tricks, new Korplug variant. Retrieved September 9, 2025.
  4. Hamzeloofard, S. (2020, January 31). New wave of PlugX targets Hong Kong | Avira Blog. Retrieved April 13, 2021.
  5. hasherezade. (2016, April 11). No money, but Pony! From a mail to a trojan horse. Retrieved May 21, 2020.
  6. Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020.
  7. Palotay, D. and Mackenzie, P. (2018, April). SamSam Ransomware Chooses Its Targets Carefully. Retrieved April 15, 2019.
  8. Fortgale. (2023, September 18). StrelaStealer Malware Analysis. Retrieved December 31, 2024.
  9. Antenucci, S., Pantazopoulos, N., Sandee, M. (2020, June 23). WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group. Retrieved September 14, 2021.
  10. ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
  11. Schwarz, D., Sopko J. (2018, March 08). Donot Team Leverages New Modular Malware Framework in South Asia. Retrieved June 11, 2018.
  12. Huss, D., et al. (2017, February 2). Oops, they did it again: APT Targets Russia and Belarus with ZeroT and PlugX. Retrieved April 5, 2018.