View on MITRE ATT&CK

T1027.002 - Software Packing

Sub-technique
Tactics:
Defense Evasion
Platforms:
Linux macOS Windows
Detection:
Not specified
Description:
Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.(Citation: ESET FinFisher Jan 2018)

Utilities used to perform software packing are called packers. Example packers are MPRESS and UPX. A more comprehensive list of known packers is available, but adversaries may create their own packing techniques that do not leave the same artifacts as well-known packers to evade defenses.(Citation: Awesome Executable Packing)
Used by Actors (20)
APT3
Nation-state
APT29
Nation-state
Kimsuky
Nation-state
Dark Caracal
Unknown
TA505
Unknown
APT39
Unknown
Rocke
Unknown
APT41
Nation-state
GALLIUM
Unknown
TeamTNT
Unknown
TA2541
Unknown
Aoqin Dragon
Unknown
Volt Typhoon
Unknown
MoustachedBouncer
Nation-state
Storm-0501
Unknown
Medusa Group
Unknown
Elderwood
Unknown
Patchwork
Unknown
APT38
Unknown
Saint Bear
Unknown
Malware (20)
TrickBot other BLINDINGCAN other Spark other Torisma other yty other COATHANGER other Misdat other AppleSeed other NETWIRE other GreyEnergy other Emotet other Tomiris other Machete other Squirrelwaffle other Hildegard other FYAnti other ZeroT other Raspberry Robin other Raindrop other IcedID other
Metadata
MITRE ID: T1027.002
STIX ID: attack-pattern--deb98323-e13f-...
Platforms: Linux, macOS, Windows
Created: 13/01/2026 17:48
Updated: 06/03/2026 16:00