Develop Capabilities: Malware

Adversaries may develop malware and malware components that can be used during targeting. Building malicious software can include the development of payloads, droppers, post-compromise tools, backdoors (including backdoored images), packers, C2 protocols, and the creation of infected removable media. Adversaries may develop malware to support their operations, creating a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.[1][2][3][4]

As with legitimate development efforts, different skill sets may be required for developing malware. The skills needed may be located in-house, or may need to be contracted out. Use of a contractor may be considered an extension of that adversary's malware development capabilities, provided the adversary plays a role in shaping requirements and maintains a degree of exclusivity to the malware.

Some aspects of malware development, such as C2 protocol development, may require adversaries to obtain additional infrastructure. For example, malware developed that will communicate with Twitter for C2, may require use of Web Services.[5]

ID: T1587.001
Sub-technique of:  T1587
Platforms: PRE
Version: 1.2
Created: 01 October 2020
Last Modified: 14 January 2022

Procedure Examples

ID Name Description
G0016 APT29

APT29 has leveraged numerous pieces of malware that appear to be unique to APT29 and were likely developed for or by the group.[6][7][8]

G0003 Cleaver

Cleaver has created customized tools and payloads for functions including ARP poisoning, encryption, credential dumping, ASP.NET shells, web backdoors, process enumeration, WMI querying, HTTP and SMB communications, network interface sniffing, and keystroke logging.[9]

G0046 FIN7

FIN7 has developed malware for use in operations, including the creation of infected removable media.[4][10]

G0004 Ke3chang

Ke3chang has developed custom malware that allowed them to maintain persistence on victim networks.[11]

G0094 Kimsuky

Kimsuky has developed its own unique malware such as for use in operations.[12][13]

G0032 Lazarus Group

Lazarus Group has developed custom malware for use in their operations.[14][15][16][17]

G0014 Night Dragon

Night Dragon used privately developed and customized remote access tools.[18]

G0034 Sandworm Team

Sandworm Team has developed malware for its operations, including malicious mobile applications and destructive malware such as NotPetya and Olympic Destroyer.[19]

G0139 TeamTNT

TeamTNT has developed custom malware such as Hildegard.[20]

G0010 Turla

Turla has developed its own unique malware for use in operations.[21]


ID Mitigation Description
M1056 Pre-compromise

This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.


ID Data Source Data Component
DS0004 Malware Repository Malware Content
Malware Metadata

Consider analyzing malware for features that may be associated with the adversary and/or their developers, such as compiler used, debugging artifacts, or code similarities. Malware repositories can also be used to identify additional samples associated with the adversary and identify development patterns over time.

Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on post-compromise phases of the adversary lifecycle.