1. Home
  2. Techniques
  3. Enterprise
  4. System Location Discovery
  5. System Language Discovery

System Location Discovery: System Language Discovery

Adversaries may attempt to gather information about the system language of a victim in order to infer the geographical location of that host. This information may be used to shape follow-on behaviors, including whether the adversary infects the target and/or attempts specific actions. This decision may be employed by malware developers and operators to reduce their risk of attracting the attention of specific law enforcement agencies or prosecution/scrutiny from other entities.[1]

There are various sources of data an adversary could use to infer system language, such as system defaults and keyboard layouts. Specific checks will vary based on the target and/or adversary, but may involve behaviors such as Query Registry and calls to Native API functions.[2]

For example, on a Windows system adversaries may attempt to infer the language of a system by querying the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\Language or parsing the outputs of Windows API functions GetUserDefaultUILanguage, GetSystemDefaultUILanguage, GetKeyboardLayoutList and GetUserDefaultLangID.[3][4][5]

On a macOS or Linux system, adversaries may query locale to retrieve the value of the $LANG environment variable.

ID: T1614.001
Sub-technique of:  T1614
Tactic: Discovery
Platforms: Linux, Windows, macOS
Contributors: Harshal Tupsamudre, Qualys
Version: 1.1
Created: 18 August 2021
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
S0640 Avaddon

Avaddon checks for specific keyboard layouts and OS languages to avoid targeting Commonwealth of Independent States (CIS) entities.[6]
S0534 Bazar

Bazar can perform a check to ensure that the operating system's keyboard and language settings are not set to Russian.[7]
G1043 BlackByte

BlackByte identified system language settings to determine follow-on execution.[8]
S1180 BlackByte Ransomware

BlackByte Ransomware identifies the language on the victim system.[9]
S0611 Clop

Clop has checked the keyboard language using the GetKeyboardLayout() function to avoid installation on Russian-language or other Commonwealth of Independent States-language machines; it will also check the GetTextCharset function.[10]

S0625 Cuba

Cuba can check if Russian language is installed on the infected machine by using the function GetKeyboardLayoutList.[11]

S1153 Cuckoo Stealer

Cuckoo Stealer can check the systems LANG environmental variable to prevent infecting devices from Armenia (hy_AM), Belarus (be_BY), Kazakhstan (kk_KZ), Russia (ru_RU), and Ukraine (uk_UA).[12]
S0616 DEATHRANSOM

Some versions of DEATHRANSOM have performed language ID and keyboard layout checks; if either of these matched Russian, Kazakh, Belarusian, Ukrainian or Tatar DEATHRANSOM would exit.[13]
S0547 DropBook

DropBook has checked for the presence of Arabic language in the infected machine's settings.[14]
S0696 Flagpro

Flagpro can check whether the target system is using Japanese, Taiwanese, or English through detection of specific Windows Security and Internet Explorer dialog.[15]

S1138 Gootloader

Gootloader can determine if a victim's computer is running an operating system with specific language preferences.[16]
S0632 GrimAgent

GrimAgent has used Accept-Language to identify hosts in the United Kingdom, United States, France, and Spain.[17]

S0483 IcedID

IcedID used the following command to check the country/language of the active console:
cmd.exe /c chcp >&2.[18]
G0004 Ke3chang

Ke3chang has used implants to collect the system language ID of a compromised machine.[19]
S1199 LockBit 2.0

LockBit 2.0 can check if a targeted machine is using a set of Eastern European languages and exit without infection if so.[20][21]
S1202 LockBit 3.0

LockBit 3.0 will not affect machines with language settings matching a defined exlusion list of mainly Eastern European languages.[22][23]
G1026 Malteiro

Malteiro will terminate Mispadu's infection process if the language of the victim machine is not Spanish or Portuguese.[24]
S0652 MarkiRAT

MarkiRAT can use the GetKeyboardLayout API to check if a compromised host's keyboard is set to Persian.[25]
S0449 Maze

Maze has checked the language of the machine with function GetUserDefaultUILanguage and terminated execution if the language matches with an entry in the predefined list.[26]
S0083 Misdat

Misdat has attempted to detect if a compromised host had a Japanese keyboard via the Windows API call GetKeyboardType.[27]
S1122 Mispadu

Mispadu checks and will terminate execution if the compromised system’s language ID is not Spanish or Portuguese.[28][24]
S0691 Neoichor

Neoichor can identify the system language on a compromised host.[19]
C0022 Operation Dream Job

During Operation Dream Job, Lazarus Group deployed malware designed not to run on computers set to Korean, Japanese, or Chinese in Windows language preferences.[29]
S1228 PUBLOAD

PUBLOAD has checked supported languages on the compromised system.[30]
S1240 RedLine Stealer

RedLine Stealer can retrieve system default language and time zone.[31]
S0496 REvil

REvil can check the system language using GetUserDefaultUILanguage and GetSystemDefaultUILanguage. If the language is found in the list, the process terminates.[32]
S0446 Ryuk

Ryuk has been observed to query the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\Language and the value InstallLanguage. If the machine has the value 0x419 (Russian), 0x422 (Ukrainian), or 0x423 (Belarusian), it stops execution.[2]
S0085 S-Type

S-Type has attempted to determine if a compromised system was using a Japanese keyboard via the GetKeyboardType API call.[27]
S0546 SharpStage

SharpStage has been used to target Arabic-speaking users and used code that checks if the compromised machine has the Arabic language installed.[14]
S0543 Spark

Spark has checked the results of the GetKeyboardLayoutList and the language name returned by GetLocaleInfoA to make sure they contain the word "Arabic" before executing.[33]
S1200 StealBit

StealBit can determine system location based on the default language setting and will not execute on systems located in former Soviet countries.[34]
G1053 Storm-0501

Storm-0501 has identified system language codes on a compromised host to determine if the victim falls under a non-supported language code that is prohibited for targeting, including victims associated with Russia and other Commonwealth of Independent States (CIS) that may draw attention of law enforcement in countries where the ransomware operator or affiliates may reside/operate from.[35][36]
S1183 StrelaStealer

StrelaStealer variants check system language settings via keyboard layout or similar mechanisms.[37][38]
S0242 SynAck

SynAck lists all the keyboard layouts installed on the victim’s system using GetKeyboardLayoutList API and checks against a hardcoded language code list. If a match if found, SynAck sleeps for 300 seconds and then exits without encrypting files.[5]

S0658 XCSSET

XCSSET uses AppleScript to check the host's language and location with the command user locale of (get system info).[39]
S0330 Zeus Panda

Zeus Panda queries the system's keyboard mapping to determine the language used on the system. It will terminate execution if it detects LANG_RUSSIAN, LANG_BELARUSIAN, LANG_KAZAK, or LANG_UKRAINIAN.[40]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0565 Detection Strategy for System Language Discovery AN1561

Registry access to system language keys (e.g., HKLM\SYSTEM\CurrentControlSet\Control\Nls\Language) or suspicious processes invoking locale-related APIs (e.g., GetUserDefaultUILanguage, GetSystemDefaultUILanguage, GetKeyboardLayoutList). Defender visibility focuses on anomalous or non-standard processes issuing these queries, especially when run by unknown binaries or scripts.
AN1562

Processes executing commands to query system locale and language settings, such as 'locale', 'echo $LANG', or parsing environment variables. Suspicious activity is indicated by these commands being run by unusual users, automation scripts, or non-administrative processes.
AN1563

Execution of commands to query system locale and language settings, such as 'defaults read -g AppleLocale' or 'systemsetup -gettimezone'. Unusual parent processes or execution contexts of these commands may indicate adversarial discovery.

References

  1. Pierre-Marc Bureau. (2009, January 15). Malware Trying to Avoid Some Countries. Retrieved August 18, 2021.
  2. Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020.
  3. Cybereason Nocturnus. (2021, April 1). Cybereason vs. Darkside Ransomware. Retrieved August 18, 2021.
  4. Fedor Sinitsyn. (2021, May 25). Evolution of JSWorm Ransomware. Retrieved August 18, 2021.
  5. Ivanov, A. et al. (2018, May 7). SynAck targeted ransomware uses the Doppelgänging technique. Retrieved May 22, 2018.
  6. Yuste, J. Pastrana, S. (2021, February 9). Avaddon ransomware: an in-depth analysis and decryption of infected systems. Retrieved August 19, 2021.
  7. Pantazopoulos, N. (2020, June 2). In-depth analysis of the new Team9 malware family. Retrieved December 1, 2020.
  8. Huseyin Can Yuceel. (2022, February 21). TTPs used by BlackByte Ransomware Targeting Critical Infrastructure. Retrieved December 16, 2024.
  9. Rodel Mendrez & Lloyd Macrohon. (2021, October 15). BlackByte Ransomware – Pt. 1 In-depth Analysis. Retrieved December 16, 2024.
  10. Mundo, A. (2019, August 1). Clop Ransomware. Retrieved May 10, 2021.
  11. Roccio, T., et al. (2021, April). Technical Analysis of Cuba Ransomware. Retrieved June 18, 2021.
  12. Kohler, A. and Lopez, C. (2024, April 30). Malware: Cuckoo Behaves Like Cross Between Infostealer and Spyware. Retrieved August 20, 2024.
  13. McLellan, T. and Moore, J. et al. (2021, April 29). UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat. Retrieved June 2, 2021.
  14. Ilascu, I. (2020, December 14). Hacking group’s new malware abuses Google and Facebook services. Retrieved December 28, 2020.
  15. Hada, H. (2021, December 28). Flagpro The new malware used by BlackTech. Retrieved March 25, 2022.
  16. Szappanos, G. & Brandt, A. (2021, March 1). “Gootloader” expands its payload delivery options. Retrieved September 30, 2022.
  17. Priego, A. (2021, July). THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK. Retrieved September 19, 2024.
  18. DFIR. (2022, April 25). Quantum Ransomware. Retrieved July 26, 2024.
  19. MSTIC. (2021, December 6). NICKEL targeting government organizations across Latin America and Europe. Retrieved March 18, 2022.
  20. FBI. (2022, February 4). Indicators of Compromise Associated with LockBit 2.0 Ransomware. Retrieved January 24, 2025.
  1. Elsad, A. et al. (2022, June 9). LockBit 2.0: How This RaaS Operates and How to Protect Against It. Retrieved January 24, 2025.
  2. CISA et al. (2023, June 14). UNDERSTANDING RANSOMWARE THREAT ACTORS: LOCKBIT. Retrieved February 5, 2025.
  3. FBI et al. (2023, March 16). #StopRansomware: LockBit 3.0. Retrieved February 5, 2025.
  4. SCILabs. (2021, December 23). Cyber Threat Profile Malteiro. Retrieved March 13, 2024.
  5. GReAT. (2021, June 16). Ferocious Kitten: 6 Years of Covert Surveillance in Iran. Retrieved September 22, 2021.
  6. Mundo, A. (2020, March 26). Ransomware Maze. Retrieved May 18, 2020.
  7. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.
  8. Pedro Tavares (Segurança Informática). (2020, September 15). Threat analysis: The emergent URSA trojan impacts many countries using a sophisticated loader. Retrieved March 13, 2024.
  9. ClearSky Research Team. (2020, August 13). Operation 'Dream Job' Widespread North Korean Espionage Campaign. Retrieved December 20, 2021.
  10. CSIRT CTI. (2024, January 23). Stately Taurus Targets Myanmar Amidst Concerns over Military Junta’s Handling of Rebel Attacks. Retrieved August 4, 2025.
  11. Splunk Threat Research Team. (2023, June 1). Do Not Cross The 'RedLine' Stealer: Detections and Analysis. Retrieved September 17, 2025.
  12. Mamedov, O, et al. (2019, July 3). Sodin ransomware exploits Windows vulnerability and processor architecture. Retrieved August 4, 2020.
  13. Falcone, R., et al. (2020, March 3). Molerats Delivers Spark Backdoor to Government and Telecommunications Organizations. Retrieved December 14, 2020.
  14. Cybereason Global SOC Team. (n.d.). THREAT ANALYSIS REPORT: Inside the LockBit Arsenal - The StealBit Exfiltration Tool. Retrieved January 29, 2025.
  15. Avertium. (2022, January 11). An In-Depth Look at Ransomware Gang, Sabbath. Retrieved October 19, 2025.
  16. Tyler McLellan, Brandan Schondorfer. (2021, November 29). Kitten.gif: Meet the Sabbath Ransomware Affiliate Program, Again. Retrieved October 19, 2025.
  17. Fortgale. (2023, September 18). StrelaStealer Malware Analysis. Retrieved December 31, 2024.
  18. Golo Mühr, Joe Fasulo & Charlotte Hammond, IBM X-Force. (2024, November 12). Strela Stealer: Today’s invoice is tomorrow’s phish. Retrieved December 31, 2024.
  19. Mac Threat Response, Mobile Research Team. (2020, August 13). The XCSSET Malware: Inserts Malicious Code Into Xcode Projects, Performs UXSS Backdoor Planting in Safari, and Leverages Two Zero-day Exploits. Retrieved October 5, 2021.
  20. Brumaghin, E., et al. (2017, November 02). Poisoning the Well: Banking Trojan Targets Google Search Results. Retrieved November 5, 2018.