1. Home
  2. Techniques
  3. Enterprise
  4. System Location Discovery

System Location Discovery

ID Name
T1614.001 System Language Discovery

Adversaries may gather information in an attempt to calculate the geographical location of a victim host. Adversaries may use the information from System Location Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Adversaries may attempt to infer the location of a system using various system checks, such as time zone, keyboard layout, and/or language settings.[1][2][3] Windows API functions such as GetLocaleInfoW can also be used to determine the locale of the host.[1] In cloud environments, an instance's availability zone may also be discovered by accessing the instance metadata service from the instance.[4][5]

Adversaries may also attempt to infer the location of a victim host using IP addressing, such as via online geolocation IP-lookup services.[6][2]

ID: T1614
Sub-techniques:  T1614.001
Tactic: Discovery
Platforms: IaaS, Linux, Windows, macOS
Contributors: Hiroki Nagahama, NEC Corporation; Katie Nickels, Red Canary; Manikantan Srinivasan, NEC Corporation India; Pooja Natarajan, NEC Corporation India; Wes Hurd
Version: 1.1
Created: 01 April 2021
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
S1025 Amadey

Amadey does not run any tasks or install additional malware if the victim machine is based in Russia.[7]
S0115 Crimson

Crimson can identify the geographical location of a victim host.[8]

S1153 Cuckoo Stealer

Cuckoo Stealer can determine the geographical location of a victim host by checking the language.[9]
S1111 DarkGate

DarkGate queries system locale information during execution.[10] Later versions of DarkGate query GetSystemDefaultLCID for locale information to determine if the malware is executing in Russian-speaking countries.[11]
S0673 DarkWatchman

DarkWatchman can identity the OS locale of a compromised host.[12]
S1138 Gootloader

Gootloader can use IP geolocation to determine if the person browsing to a compromised site is within a targeted territory such as the US, Canada, Germany, and South Korea.[13]
S0632 GrimAgent

GrimAgent can identify the country code on a compromised host.[14]
S1249 HexEval Loader

HexEval Loader has a function where the C2 endpoint can identify the geographical location of a victim host based on request headers, execution environment and runtime conditions.[15]
S1245 InvisibleFerret

InvisibleFerret has collected the internal IP address, IP geolocation information of the infected host and sends the data to a C2 server.[16] InvisibleFerret has also leveraged the "pay" module to obtain region name, country, city, zip code, ISP, latitude and longitude using "http://ip-api.com/json".[17]
S0013 PlugX

PlugX has obtained the location of the victim device by leveraging GetSystemDefaultLCID.[18]
S0262 QuasarRAT

QuasarRAT can determine the country a victim host is located in.[19]
S1148 Raccoon Stealer

Raccoon Stealer collects the Locale Name of the infected device via GetUserDefaultLocaleName to determine whether the string ru is included, but in analyzed samples no action is taken if present.[20]
S0481 Ragnar Locker

Before executing malicious code, Ragnar Locker checks the Windows API GetLocaleInfoW and doesn't encrypt files if it finds a former Soviet country.[1]
S1240 RedLine Stealer

RedLine Stealer has gathered detailed information about victims’ systems, such as IP addresses, and geolocation.[21][22][23] RedLine Stealer has also checked the IP from where it was being executed and leveraged an opensource geolocation IP-lookup service. [24]
S1018 Saint Bot

Saint Bot has conducted system locale checks to see if the compromised host is in Russia, Ukraine, Belarus, Armenia, Kazakhstan, or Moldova.[25][26]
S0461 SDBbot

SDBbot can collected the country code of a compromised machine.[27]
G1008 SideCopy

SideCopy has identified the country location of a compromised host.[28]
S1124 SocGholish

SocGholish can use IP-based geolocation to limit infections to victims in North America, Europe, and a small number of Asian-Pacific nations.[29]
G1017 Volt Typhoon

Volt Typhoon has obtained the victim's system current location.[30]
S1248 XORIndex Loader

XORIndex Loader can identify the geographical location of a victim host.[31]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0043 Detection Strategy for System Location Discovery AN0119

Unusual process or API usage attempting to query system locale, timezone, or keyboard layout (e.g., calls to GetLocaleInfoW, GetTimeZoneInformation). Detection can be enhanced by correlating with processes not typically associated with system configuration queries, such as unknown binaries or scripts.
AN0120

Detection of commands accessing locale, timezone, or language settings such as 'locale', 'timedatectl', or parsing /etc/timezone. Anomalous execution by unusual users or automation scripts should be flagged.
AN0121

Detection of system calls or commands accessing system locale (e.g., 'defaults read -g AppleLocale', 'systemsetup -gettimezone'). Correlate with unusual parent processes or execution contexts.
AN0122

Detection of queries to instance metadata services (e.g., AWS IMDS, Azure Metadata Service) for availability zone, region, or network geolocation details. Correlation with non-management accounts or non-standard workloads may indicate adversary reconnaissance.

References

  1. FBI. (2020, November 19). Indicators of Compromise Associated with Ragnar Locker Ransomware. Retrieved September 12, 2024.
  2. Wisniewski, C. (2016, May 3). Location-based threats: How cybercriminals target you based on where you live. Retrieved April 1, 2021.
  3. Abrams, L. (2020, October 23). New RAT malware gets commands via Discord, has ransomware feature. Retrieved April 1, 2021.
  4. Amazon. (n.d.). Instance identity documents. Retrieved April 2, 2021.
  5. Microsoft. (2021, February 21). Azure Instance Metadata Service (Windows). Retrieved April 2, 2021.
  6. Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved April 1, 2021.
  7. Kasuya, M. (2020, January 8). Threat Spotlight: Amadey Bot Targets Non-Russian Users. Retrieved July 14, 2022.
  8. Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved September 2, 2021.
  9. Kohler, A. and Lopez, C. (2024, April 30). Malware: Cuckoo Behaves Like Cross Between Infostealer and Spyware. Retrieved August 20, 2024.
  10. Adi Zeligson & Rotem Kerner. (2018, November 13). Enter The DarkGate - New Cryptocurrency Mining and Ransomware Campaign. Retrieved February 9, 2024.
  11. Ernesto Fernández Provecho, Pham Duy Phuc, Ciana Driscoll & Vinoo Thomas. (2023, November 21). The Continued Evolution of the DarkGate Malware-as-a-Service. Retrieved February 9, 2024.
  12. Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022.
  13. Pirozzi, A. (2021, June 16). Gootloader: ‘Initial Access as a Service’ Platform Expands Its Search for High Value Targets. Retrieved May 28, 2024.
  14. Priego, A. (2021, July). THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK. Retrieved September 19, 2024.
  15. Kirill Boychenko. (2025, June 25). Another Wave: North Korean Contagious Interview Campaign Drops 35 New Malicious npm Packages. Retrieved October 19, 2025.
  16. Unit 42. (2023, November 21). Hacking Employers and Seeking Employment: Two Job-Related Campaigns Bear Hallmarks of North Korean Threat Actors. Retrieved October 17, 2025.
  1. Matej Havranek. (2025, February 20). DeceptiveDevelopment targets freelance developers. Retrieved October 17, 2025.
  2. Alexandre Cote Cyr. (2022, March 23). Mustang Panda’s Hodur: Old tricks, new Korplug variant. Retrieved September 9, 2025.
  3. CISA. (2018, December 18). Analysis Report (AR18-352A) Quasar Open-Source Remote Administration Tool. Retrieved August 1, 2022.
  4. S2W TALON. (2022, June 16). Raccoon Stealer is Back with a New Version. Retrieved August 1, 2024.
  5. Alexandre Cote Cyr. (2024, November 8). Life on a crooked RedLine: Analyzing the infamous infostealer’s backend. Retrieved September 17, 2025.
  6. George Glass. (2024, August 14). REDLINESTEALER Malware Driving the Initial Access Broker Market. Retrieved September 17, 2025.
  7. Proofpoint Threat Insight Team, Jeremy H, Axel F. (2020, March 16). New Redline Password Stealer Malware. Retrieved September 17, 2025.
  8. Mohansundaram M, Neil Tyagi. (2024, April 17). Redline Stealer: A Novel Approach. Retrieved September 17, 2025.
  9. Hasherezade. (2021, April 6). A deep dive into Saint Bot, a new downloader. Retrieved June 9, 2022.
  10. Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022.
  11. Financial Security Institute. (2020, February 28). Profiling of TA505 Threat Group That Continues to Attack the Financial Sector. Retrieved July 14, 2022.
  12. Threat Intelligence Team. (2021, December 2). SideCopy APT: Connecting lures victims, payloads to infrastructure. Retrieved June 13, 2022.
  13. Secureworks. (n.d.). GOLD PRELUDE . Retrieved March 22, 2024.
  14. CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024.
  15. Kirill Boychenko. (2025, July 14). Contagious Interview Campaign Escalates With 67 Malicious npm Packages and New Malware Loader. Retrieved October 19, 2025.