Develop Capabilities: Malware

Adversaries may develop malware and malware components that can be used during targeting. Building malicious software can include the development of payloads, droppers, post-compromise tools, backdoors (including backdoored images), packers, C2 protocols, and the creation of infected removable media. Adversaries may develop malware to support their operations, creating a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.[1][2][3][4]

As with legitimate development efforts, different skill sets may be required for developing malware. The skills needed may be located in-house, or may need to be contracted out. Use of a contractor may be considered an extension of that adversary's malware development capabilities, provided the adversary plays a role in shaping requirements and maintains a degree of exclusivity to the malware.

Some aspects of malware development, such as C2 protocol development, may require adversaries to obtain additional infrastructure. For example, malware developed that will communicate with Twitter for C2, may require use of Web Services.[5]

ID: T1587.001
Sub-technique of:  T1587
Platforms: PRE
Version: 1.1
Created: 01 October 2020
Last Modified: 15 April 2021

Procedure Examples

ID Name Description
G0016 APT29

APT29 developed SUNSPOT, SUNBURST, TEARDROP, and Raindrop; SUNSPOT and SUNBURST were tailored to be incorporated into SolarWind's Orion software library.[6][7][8]

G0003 Cleaver

Cleaver has created customized tools and payloads for functions including ARP poisoning, encryption, credential dumping, ASP.NET shells, web backdoors, process enumeration, WMI querying, HTTP and SMB communications, network interface sniffing, and keystroke logging.[9]

G0046 FIN7

FIN7 has developed malware for use in operations, including the creation of infected removable media.[4][10]

G0032 Lazarus Group

Lazarus Group has developed several custom malware for use in operations.[11]

G0014 Night Dragon

Night Dragon used privately developed and customized remote access tools.[12]

G0034 Sandworm Team

Sandworm Team has developed malware for its operations, including malicious mobile applications and destructive malware such as NotPetya and Olympic Destroyer.[13]

G0010 Turla

Turla has developed its own unique malware for use in operations.[14]


ID Mitigation Description
M1056 Pre-compromise

This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.


Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on post-compromise phases of the adversary lifecycle.