Distribute malicious software development tools

An adversary could distribute malicious software development tools (e.g., compiler) that hide malicious behavior in software built using the tools. [1] [2]

ID: T1394
Sub-techniques:  No sub-techniques
Tactic: Stage Capabilities
Version: 1.0
Created: 14 December 2017
Last Modified: 17 October 2018


Detectable by Common Defenses (Yes/No/Partial): No

Explanation: Developers could check a hash or signature of their development tools to ensure that they match expected values (e.g., Apple provides instructions of how to do so for its Xcode developer tool), but developers may not always do so.

Difficulty for the Adversary

Easy for the Adversary (Yes/No): No

Explanation: The adversary would need to either replace the tools provided at the official download location or influence developers to download the tools from an adversary-controlled third-party download location. Desktop operating systems (e.g., Windows, macOS) are increasingly encouraging use of vendor-provided official app stores to distribute software, which utilize code signing and increase the difficulty of replacing development tools with malicious versions.


  1. Claud Xiao. (2015, September 17). Novel Malware XcodeGhost Modifies Xcode, Infects Apple iOS Apps and Hits App Store. Retrieved April 12, 2017.
  1. Ken Thompson. (1984, August). Reflections on Trusting Trust. Retrieved April 12, 2017.