What T1027 Actually Describes
At its core, T1027 covers any deliberate effort to make a malicious file, script, command, or configuration harder to identify or analyze. The goal is not necessarily to encrypt all content permanently — it is to get past defensive controls long enough to execute. Many T1027 implementations are transient: the obfuscation is stripped at runtime, with the decoded payload never touching disk in a recognizable form.
What makes T1027 so persistent across threat actor toolkits is its versatility. It applies from the earliest stages of initial access through lateral movement, persistence, and command-and-control. A threat actor can obfuscate a phishing attachment, the PowerShell stager that runs when the attachment is opened, the DLL dropped to disk, and the data exfiltrated afterward — all using different sub-techniques within this single technique ID.
MITRE last updated T1027 in October 2025, expanding it to 17 sub-techniques. Recent additions include SVG Smuggling (T1027.017), Polymorphic Code (T1027.014), Junk Code Insertion (T1027.016), and Compression (T1027.015). The technique spans all major platforms: Windows, Linux, macOS, ESXi, and Network Devices.
The 17 Sub-Techniques
Each sub-technique represents a distinct obfuscation method with its own detection surface and threat actor adoption patterns. The grid below provides an at-a-glance reference; detailed descriptions follow.
T1027.001 — Binary Padding
Adversaries append meaningless bytes to a malicious file to change its hash value and inflate its size beyond the scanning threshold of many security tools. Some endpoint products skip files above a certain size for performance reasons, making large binary padding an effective bypass. Emotet operators were documented using binary padding in 2023 to defeat signature-based detections, appending null bytes to bloat samples past detection thresholds.
T1027.002 — Software Packing
Packing compresses or encrypts an executable so the original code is only unpacked in memory at runtime. Packers like UPX, MPRESS, and custom commercial crypters are common. Packed binaries display elevated entropy scores — typically above 7.0 — which is a useful detection signal but not conclusive on its own since legitimate software can also be packed. Kimsuky has used packing to obfuscate its Troll Stealer campaigns, and Lazarus Group samples consistently show high entropy consistent with custom packing layers.
T1027.003 — Steganography
Payloads or C2 configurations are hidden within image, audio, or other media files. The malicious content is not visible and does not alter the apparent behavior of the carrier file. APT41 used this approach in late 2024, embedding an encrypted payload inside files disguised as JPEG images within a phishing ZIP archive. Two of seven apparent image files in the package were not genuine images — one contained the encrypted payload and the other was a DLL used to decrypt and execute it.
T1027.004 — Compile After Delivery
Rather than delivering a ready-to-execute binary, adversaries deliver source code that gets compiled on the victim machine using native utilities such as csc.exe (the .NET C# compiler) or GCC. This approach bypasses controls that scan for known malicious executables, since the file arriving on disk is source code that appears benign. NOBELIUM (APT29) has used this technique, and MuddyWater has deployed it in operations across the Middle East.
T1027.005 — Indicator Removal from Tools
Threat actors scrub or alter identifying strings, metadata, debug symbols, and other artifacts from their malware before deployment. This practice erodes the reliability of threat intelligence feeds and complicates attribution. It includes removing PDB paths, renaming functions, changing compilation metadata, and stripping resource sections that would otherwise fingerprint the tool.
T1027.006 — HTML Smuggling
A JavaScript blob embedded in an HTML file assembles a malicious payload in the browser's memory and triggers a download, bypassing network inspection tools that look for malicious file transfers. Because the payload never traverses the network as a recognizable file type, many proxies and email gateways miss it entirely. This technique has seen heavy adoption by initial access brokers and ransomware affiliates in phishing campaigns.
T1027.007 — Dynamic API Resolution
Instead of importing Windows API functions statically — which makes them visible in import tables — malware resolves function addresses at runtime using GetProcAddress and LoadLibrary, or custom hashing schemes. The API calls never appear in the binary's import table, making static analysis substantially harder. This is particularly common in shellcode and in modular loaders that need to remain small and evasive.
T1027.008 — Stripped Payloads
Debug symbols, section names, string tables, and other metadata useful to reverse engineers are stripped from binaries. Lazarus Group routinely strips its Go-based tools of symbol information, turning what would be annotated, readable assembly into a flat opaque binary. APT41's Calendarwalk malware was initially resistant to static analysis due to extensive stripping combined with additional obfuscation layers.
T1027.009 — Embedded Payloads
A malicious payload is embedded inside an otherwise legitimate-looking or benign file and extracted at runtime. APT41's TOUGHPROGRESS campaign embedded an encrypted payload inside fake JPEG files — the modules were extracted and executed by a DLL side-loading chain when the victim opened an LNK shortcut. Turla stores malware payloads XOR-encrypted in the Windows registry, retrieved and executed by obfuscated PowerShell scripts.
T1027.010 — Command Obfuscation
Commands — most commonly PowerShell or CMD — are obfuscated using encoding, character substitution, environment variable abuse, string concatenation, tick marks, caret characters, and other interpreter-specific quirks. The Invoke-Obfuscation framework formalized this attack surface. Gamaredon, Turla, MuddyWater, and many other nation-state actors rely heavily on command obfuscation to deliver payloads via encoded PowerShell.
T1027.011 — Fileless Storage
Rather than writing a payload to disk where endpoint security tools can inspect it, adversaries store malicious code exclusively in memory, the Windows registry, WMI subscriptions, or service configurations. Gamaredon's PteroPSDoor stores its code exclusively in registry keys in recent versions, a deliberate evolution to reduce on-disk artifact visibility. Fileless approaches are especially difficult for forensic investigation since artifacts disappear on reboot unless persistence mechanisms write them back.
T1027.012 — LNK Icon Smuggling
Windows shortcut files (.lnk) are crafted to display an icon that misrepresents the file's true function — commonly a PDF or Word document icon — while the file executes a script or binary. LNK files became a primary initial access vehicle across many APT groups after Microsoft disabled Office macros by default. Gamaredon's PteroLNK tooling is specifically designed to mass-produce weaponized LNK files for USB and network drive propagation.
T1027.013 — Encrypted/Encoded File
Files are encrypted or encoded (Base64, XOR, RC4, AES, and others) to prevent static analysis. The decryption key may be hardcoded, derived from system properties such as volume serial number, delivered via C2, or split across multiple files. APT41's TOUGHPROGRESS uses XOR keys for data encryption and LZNT1 compression for commands relayed through Google Calendar events. Lazarus samples regularly employ custom XOR or AES encryption with keys generated from environmental data.
T1027.014 — Polymorphic Code
Malware that rewrites portions of its own code between infections or executions produces samples that look different each time while behaving identically. This defeats signature matching on any static characteristic of the binary. Polymorphic engines were once mostly associated with commodity malware but are increasingly observed in targeted campaigns where long-term evasion matters.
T1027.015 — Compression
Payloads, scripts, or data are compressed using standard algorithms (ZIP, GZIP, LZMA, LZNT1, and others) to reduce size and alter file content signatures. Compression is frequently stacked with encryption. APT41's TOUGHPROGRESS compresses exfiltrated data with LZNT1 before encoding it for insertion into Google Calendar event descriptions, combining compression and encoding in a single exfiltration channel.
T1027.016 — Junk Code Insertion
Non-functional code — unreachable branches, no-ops, dead assignments — is inserted throughout malicious code to increase the complexity of analysis without changing runtime behavior. When combined with control flow obfuscation such as indirect calls, dispatch tables, and dynamically computed jump targets, junk code insertion makes automated disassembly unreliable. APT41's DLL modules in the TOUGHPROGRESS chain use register-based indirect calls, dynamic address arithmetic, and function dispatch tables specifically to defeat analysis tooling.
T1027.017 — SVG Smuggling
Scalable Vector Graphics files can contain embedded JavaScript or HTML that executes when rendered in a browser, and may carry encoded payloads assembled in memory. SVG files are frequently allowed through email gateways and web proxies that do not scrutinize vector image formats for embedded script content. MITRE formally added this sub-technique as documented in-the-wild usage increased.
Threat Actors Documented Using T1027
T1027 appears in the documented toolkit of more named threat groups than almost any other ATT&CK technique. The actors below represent some of the most extensively documented cases, with notes on their specific obfuscation tradecraft and recent campaigns.
APT41 has demonstrated sustained investment in obfuscation sophistication across a decade of operations. In late October 2024, Google Threat Intelligence Group (GTIG) documented a campaign where APT41 delivered its TOUGHPROGRESS malware through a compromised government website. The payload was concealed inside fake JPEG files within a spear-phishing ZIP archive — two of seven apparent images were not genuine images at all. One contained an encrypted payload; the other was a DLL that decrypted and launched the malicious code when the victim opened an LNK shortcut disguised as a PDF export declaration.
The TOUGHPROGRESS DLL module uses a layered evasion approach: control flow obfuscation via register-based indirect calls, dynamic address arithmetic, 64-bit register overflow techniques, and function dispatch tables. These collectively make automated disassembly tools unreliable and significantly increase manual reverse engineering time. For command-and-control, TOUGHPROGRESS hijacks Google Calendar — creating hidden events to receive encrypted commands (XOR-keyed) and exfiltrate stolen data compressed with LZNT1, effectively turning a trusted productivity service into a covert channel.
This is consistent with APT41's history of abusing cloud infrastructure for C2. Earlier in 2024, the group used Google Sheets and Google Drive for C2 through its DUSTTRAP malware family. GTIG and Mandiant also documented the VOLDEMORT malware family in October 2024, using free web hosting for payload distribution. APT41 maintained this pattern continuously from at least August 2024 across multiple malware families simultaneously.
Lazarus Group exhibits some of the most technically disciplined obfuscation practices of any documented threat actor. Malware samples attributed to the group consistently show entropy scores above 7.0, indicative of aggressive packing or encryption. Analysis of a 2025 sample documented custom packing with suspicious entry-point instructions and entry-point-level decryption routines that prevent static unpacking. The group regularly strips symbol information from Go-language tooling, leaving binaries with no readable function names or source file references.
In December 2024, Lazarus launched Operation Phantom Circuit — a supply chain attack targeting cryptocurrency and technology sector developers. The campaign involved embedding obfuscated malware directly into legitimate development tools and distributing them through GitLab and open-source repositories. The group used Astrill VPN endpoints tied to North Korean IP ranges and routed traffic through Russian proxy servers to blend malicious C2 traffic with legitimate activity. The campaign expanded to over 1,225 victims globally by December 2024 and continued adding victims through January 2025.
In the parallel Contagious Interview campaign (also tracked as DeceptiveDevelopment), Lazarus targeted software developers with fake job interview lures. In Q2 2025, Sonatype documented 107 malicious npm and PyPI packages attributed to Lazarus Group, collectively accumulating over 30,000 downloads. These packages used time-delayed payloads and encrypted transmissions to avoid detection, targeting developer machines and CI/CD pipeline infrastructure. A Lazarus-linked npm campaign in July 2025 escalated further with 67 additional malicious packages incorporating new malware loaders.
Turla has been refining obfuscation practices since at least 2008 and is considered one of the technically most sophisticated APT groups operating today. The group's PowerShell-centric obfuscation involves loading payloads exclusively in memory, avoiding on-disk drops of the final malware stage. The payload stored in the Windows registry is a PowerShell script generated using the Out-EncryptedScript.ps1 tool from PowerSploit, with variable names randomized to impede analysis. In 2024, G DATA researchers documented Turla weaponizing LNK files to deploy fileless backdoors through Microsoft's MSBuild application, with the payload stored inside an MSBuild project file and protected by SmartAssembly — a commercial obfuscation tool for .NET assemblies.
The 2024 and 2025 Turla campaigns reveal a significant operational development: cooperation with Gamaredon (FSB Center 18). Between January and June 2025, ESET documented at least three distinct attack chains in Ukraine where Gamaredon's access tooling was used to deploy Turla's Kazuar v3 backdoor. The Kazuar v3 implant is approximately 35% larger in code than its predecessor and introduces advanced network transport methods — web sockets and Exchange Web Services — alongside established obfuscation capabilities. This collaboration allowed Turla to receive high-value initial accesses from Gamaredon's broad-net intrusion campaigns and deploy sophisticated tooling selectively against the highest-priority targets.
Gamaredon operates at a volume and operational tempo unusual for a state-sponsored threat actor, having conducted over 5,000 documented cyberattacks against Ukrainian targets. ESET's comprehensive analysis of Gamaredon's 2024 toolset documented significant obfuscation upgrades across the group's existing toolkit. Starting in October 2024, Gamaredon began applying heavier obfuscation to its HTA phishing files, adding abundant blank lines and lines of unused string variables to complicate automated analysis. The VBScript payload in its PteroVDoor tool is XOR-encrypted against the victim system's volume serial number — a form of environment-keyed encryption that produces garbage output when analyzed outside the victim environment.
PteroPSDoor underwent a major upgrade in 2024, storing code exclusively in registry keys rather than files, preventing file-based endpoint detection from flagging the malware component. The tool also transitioned from continuous directory scanning to IO.FileSystemWatcher — a subtler approach that reduces process activity visible to behavioral monitoring tools.
Gamaredon's PteroLNK tooling received multiple obfuscation enhancements in the second half of 2024, including more complex LNK file creation methods and registry-based techniques to hide file extensions from users. The group's C2 infrastructure was migrated behind Cloudflare tunnels throughout 2024, adding infrastructure obfuscation on top of its payload obfuscation.
MuddyWater has relied on PowerShell command obfuscation as a core evasion mechanism across multiple years of documented campaigns targeting Middle Eastern government and telecommunications organizations. The group uses heavily encoded PowerShell commands delivered via spear-phishing documents, with the obfuscation specifically structured to evade both AMSI (Antimalware Scan Interface) and script-block logging. In documented campaigns, MuddyWater has used multi-stage encoded payloads where each stage decodes and executes the next from within memory only. CISA and partner agencies have documented MuddyWater's obfuscated tools maintaining persistent presence on compromised critical infrastructure networks. The group's BlackWater campaign showed deliberate anti-detection obfuscation improvements in direct response to prior public exposure of their techniques, indicating an active feedback loop where the group monitors its own detection and adapts.
Kimsuky has used software packing to obfuscate its Troll Stealer malware, distributing packed samples signed with valid certificates belonging to impersonated Korean companies. AhnLab ASEC and S2W researchers documented in early 2024 how Kimsuky disguised Troll Stealer samples by packing them under legitimate-looking vendor identities, complicating detection by reputation-based tools. The group consistently uses PowerShell encoding to execute multi-stage payloads, with the encoded stages retrieved from attacker-controlled domains or embedded directly in phishing documents.
Sandworm's Industroyer and Industroyer2 ICS-targeting malware families incorporate obfuscated configuration and payload components designed to evade detection in industrial control system environments where security tooling is often limited. The group's NotPetya pseudoransomware used obfuscated components to hide its true destructive purpose during initial execution. ANSSI documented Sandworm's Centreon targeting campaign using obfuscated webshell backdoors to maintain persistent access to French government networks. The group's sustained targeting of Ukrainian critical infrastructure through 2024 and 2025 has involved obfuscated scripts delivered through spear-phishing, consistent with documented TTPs across years of operations.
Detection and Analysis Approaches
Detecting T1027 directly is inherently difficult because the technique is designed to defeat detection. Defenders must focus on what obfuscation cannot hide: execution behavior, network anomalies, and the statistical properties of files and scripts.
Entropy analysis: Executable files with entropy above 7.2 on major sections may be packed or encrypted. Tools like binwalk, FLOSS, and commercial EDR platforms can flag high-entropy regions for follow-on analysis.
PowerShell script block logging — Enable ScriptBlockLogging and ModuleLogging in Windows PowerShell policy to capture decoded script content before execution, counteracting Base64 encoding and string concatenation obfuscation. This is one of the highest-value detections for T1027.010.
AMSI integration — AMSI (Antimalware Scan Interface) intercepts PowerShell, VBScript, JScript, and other scripting content at the point of execution, after runtime deobfuscation. Ensure EDR solutions are properly integrated with AMSI, and monitor for known AMSI bypass attempts that often accompany obfuscated payload delivery.
Import table analysis — Malware using dynamic API resolution (T1027.007) will have sparse or suspiciously minimal import tables despite performing complex Windows operations. Memory-resident imports can be captured by EDR through API call monitoring and process memory inspection.
Registry and WMI persistence monitoring — Fileless payloads (T1027.011) stored in registry keys or WMI subscriptions should appear in registry event logging (Sysmon Event ID 13) and WMI subscription auditing. Monitor for script content stored in unusual registry locations, particularly under HKCU run keys and software policies.
Network behavioral analysis — C2 via cloud services (Google Calendar, Google Drive, Dropbox, Cloudflare Workers) is difficult to block but can be correlated against process context. A system process making Calendar API calls with unusual frequency or writing to calendar event descriptions warrants investigation.
LNK file telemetry — Monitor creation of LNK files in unusual locations (temp directories, removable drives) and LNK files launching scripting engines rather than legitimate application executables. Sysmon Event ID 11 combined with process creation logging is effective here.
Detection gaps are asymmetric. Many T1027 sub-techniques specifically target the detection mechanisms defenders rely on. Environment-keyed encryption — such as XOR against volume serial number, as seen in Gamaredon's VBScript payloads — means even a captured sample will not produce readable output in an analyst's environment without the specific victim system's hardware values. Plan detection strategies around behavioral signals rather than static content matching wherever possible.
Mitigations
MITRE notes that T1027, like many defense evasion techniques, cannot be easily mitigated with preventive controls alone because the underlying mechanisms — scripting engines, file compression, dynamic linking — are operating system features. Mitigation strategies focus on limiting utility and improving detection rather than blocking the technique entirely.
Reducing the attack surface for obfuscated PowerShell commands involves configuring Constrained Language Mode where operationally feasible, enabling script block and module logging universally, and deploying application control policies (Windows Defender Application Control or AppLocker) to restrict which processes can spawn scripting interpreters.
For compile-after-delivery (T1027.004), monitoring and restricting access to native compilers (csc.exe, vbc.exe, GCC) on systems that have no development role is a practical control. Signed application control policies that whitelist only known-good builds prevent unsigned compiled output from executing.
Network-layer mitigations include TLS inspection to reveal encoded C2 content traversing HTTPS, and DNS logging to capture lookups to dynamically generated attacker domains. Browser isolation can reduce the effectiveness of HTML smuggling and SVG smuggling by preventing client-side assembly of payloads in the browsing context.
Why This Technique Persists
T1027's continued prevalence across threat actors ranging from sophisticated nation-states to commodity ransomware affiliates reflects a fundamental asymmetry in offensive and defensive tooling. Defenders must correctly identify every obfuscated threat; attackers need only one undetected execution. The technique adapts continuously — when AMSI expanded coverage to PowerShell, threat actors shifted to VBScript and then to compiled .NET. When network tools began flagging known packing signatures, actors adopted custom packers. When behavioral tools matured, actors moved to fileless storage and cloud-service C2 to blend with legitimate traffic patterns.
The 2024 and 2025 case studies of APT41 and the Gamaredon/Turla FSB cooperation demonstrate that obfuscation tradecraft is not static — groups actively evolve their approaches in response to published threat intelligence and detection capabilities. APT41's shift to embedding payloads inside legitimate-seeming image archives and routing C2 through Google Calendar is a direct response to the maturation of network-based detection for traditional C2 infrastructure. Gamaredon's migration behind Cloudflare tunnels and registry-based fileless storage reflects the same adaptive pattern.
Understanding T1027 and its sub-techniques is not primarily about building a list of detection rules. It is about building a detection architecture that accounts for the reality that any specific signature will eventually be defeated — and ensuring that behavioral, anomaly-based, and layered controls remain in place to catch what static signatures miss.
Sources and Further Reading
- MITRE ATT&CK T1027 — Obfuscated Files or Information (Version 1.7, modified October 2025)
- Google GTIG — Mark Your Calendar: APT41 Innovative Tactics (May 2025)
- ESET — Gamaredon in 2024: Cranking Out Spearphishing Campaigns
- ESET — Gamaredon × Turla Collaboration (September 2025)
- Sonatype — Q2 2025 Open Source Malware Index
- G DATA — Turla: A Master of Deception (2024)
- CYFIRMA — APT Quarterly Highlights Q1 2024