Deobfuscate/Decode Files or Information, Technique T1140 - Enterprise (original) (raw)
During the 2025 Poland Wiper Attacks, the adversaries decoded a Base64-encoded ZIP archive using the built-in certutil.[5]
ABK has the ability to decrypt AES encrypted payloads.[6]
Action RAT can use Base64 to decode actor-controlled C2 server communications.[7]
Agent Tesla has the ability to decrypt strings encrypted with the Rijndael symmetric encryption algorithm.[8]
Agrius has deployed base64-encoded variants of ASPXSpy to evade detection.[9]
Amadey has decoded antivirus name strings.[10]
ANELLDR can decrypt encrypted payload data using AES-256-CBC and subsequently execute the payload in memory.[11]
Apostle compiled code is obfuscated in an unspecified fashion prior to delivery to victims.[9]
AppleJeus has decoded files received from a C2.[12]
AppleSeed can decode its payload prior to execution.[13]
An APT19 HTTP malware variant decrypts strings using single-byte XOR keys.[14]
An APT28 macro uses the command certutil -decode to decode contents of a .txt file storing the base64 encoded payload.[15][16]
APT28 Nearest Neighbor Campaign
During APT28 Nearest Neighbor Campaign, APT28 unarchived data using the GUI version of WinRAR.[17]
APT38 has used the RC4 algorithm to decrypt configuration data. [18]
APT39 has used malware to decrypt encrypted CAB files.[19]
ArcaneDoor involved the use of Base64 obfuscated scripts and commands.[20]
Aria-body has the ability to decrypt the loader configuration and payload DLL.[21]
The AshTag stager compoment can decode and decrypt Base64 and XOR-encrypted payloads.[22]
Astaroth uses a fromCharCode() deobfuscation method to avoid explicitly writing execution commands and to hide its code. [23][24]
AuditCred uses XOR and RC4 to perform decryption on the code functions.[25]
Avaddon has decrypted encrypted strings.[26]
Avenger has the ability to decrypt files downloaded from C2.[6]
AvosLocker has deobfuscated XOR-encoded strings.[27]
Azorult uses an XOR key to decrypt content and uses Base64 to decode the C2 address.[28][29]
Babuk has the ability to unpack itself into memory using XOR.[30][31]
BabyShark has the ability to decode downloaded files prior to execution.[32]
BackConfig has used a custom routine to decrypt strings.[33]
BADFLICK can decode shellcode using a custom rotating XOR cipher.[34]
Bandook has decoded its PowerShell script.[35]
Bankshot decodes embedded XOR strings.[36]
Bazar can decrypt downloaded payloads. Bazar also resolves strings and other artifacts at runtime.[37][38]
BBK has the ability to decrypt AES encrypted payloads.[6]
BBSRAT uses Expand to decompress a CAB file into executable content.[39]
BendyBear has decrypted function blocks using a XOR key during runtime to evade detection.[40]
Bisonal has decoded strings in the malware using XOR and RC4.[41][42]
BlackByte has encoded commands in base64-encoded sections concatenated together in PowerShell.[43] BlackByte uses PowerShell commands to disable Windows Defender.[44]
BlackByte Ransomware is distributed as an obfuscated JavaScript launcher file.[45]
BLINDINGCAN has used AES and XOR to decrypt its DLLs.[46]
BOOKWORM has decoded its Base64 encoded payload prior to execution.[47] BOOKWORM has also encrypted files with RC4 and has decrypted its payload prior to execution.[48]
BoomBox can decrypt AES-encrypted files downloaded from C2.[49]
BOOSTWRITE has used a a 32-byte long multi-XOR key to decode data inside its payload.[50]
BRICKSTORM has decoded its encrypted C2 traffic prior to execution.[51][52][53][54][55] BRICKSTORM also has the ability to decode its obfuscated payload before execution.[53]
BRONZE BUTLER downloads encoded payloads and decodes them on the victim.[56]
BRUSHFIRE has decrypted XOR strings prior to execution.[57]
Brute Ratel C4 has the ability to deobfuscate its payload prior to execution.[58]
Bumblebee can deobfuscate C2 server responses and unpack its code on targeted hosts.[59][60]
Bundlore has used openssl to decrypt AES encrypted payload data. Bundlore has also used base64 and RC4 with a hardcoded key to deobfuscate data.[61]
BUSHWALK can Base64 decode and RC4 decrypt malicious payloads sent through a web request’s command parameter.[62][63]
During C0017, APT41 used the DUSTPAN loader to decrypt embedded payloads.[64]
During C0021, the threat actors deobfuscated encoded PowerShell commands including use of the specific string 'FromBase'+0x40+'String', in place of FromBase64String which is normally used to decode base64.[65][66]
Caminho can deobfuscate downloaded files prior to execution.[67]
Carbon decrypts task and configuration files for execution.[68][69]
Cardinal RAT decodes many of its artifacts and is decrypted (AES-128) after being downloaded.[70]
CASTLETAP can filter and deobfuscate an XOR encrypted activation string in the payload of an ICMP echo request.[71]
certutil has been used to decode binaries hidden inside certificate files as Base64 information.[1]
Chaes has decrypted an AES encrypted binary file to trigger the download of other files.[72]
CharmPower can decrypt downloaded modules prior to execution.[73]
CHIMNEYSWEEP can use an embedded RC4 key to decrypt Windows API function strings.[74]
The Chinoxy dropping function can initiate decryption of its config file.[75]
Chrommme can decrypt its encrypted internal code.[76]
Cinnamon Tempest has used weaponized DLLs to load and decrypt payloads.[77]
CLAIMLOADER has decoded its payload prior to execution.[78][79]
Clambling can deobfuscate its payload prior to execution.[80][81]
Clop has used a simple XOR operation to decrypt strings.[82]
COATHANGER decodes configuration items from a bundled file for command and control activity.[83]
Cobalt Strike can deobfuscate shellcode using a rolling XOR and decrypt metadata from Beacon sessions.[84][85] The Cobalt Strike loader component can also decrypt the .bss section of the Beacon binary prior to execution.[86]
CoinTicker decodes the initially-downloaded hidden encoded file using OpenSSL.[87]
ComRAT has used unique per machine passwords to decrypt the orchestrator payload and a hardcoded XOR key to decrypt its communications module. ComRAT has also used a unique password to decrypt the file used for its hidden file system.[88][89]
Conti has decrypted its payload using a hardcoded AES-256 key.[90][91]
CookieMiner has used Google Chrome's decryption and extraction operations.[92]
CorKLOG has decoded XOR encrypted strings.[93]
CostaBricks has the ability to use bytecode to decrypt embedded payloads.[94]
Crimson can decode its encoded PE file prior to execution.[95]
Cuckoo Stealer strings are deobfuscated prior to execution.[96][97]
Cyclops Blink can decrypt and parse instructions sent from C2.[98]
DanBot can use a VBA macro to decode its payload prior to installation and execution.[99]
DarkGate installation includes binary code stored in a file located in a hidden directory, such as shell.txt, that is decrypted then executed.[100] DarkGate uses hexadecimal-encoded shellcode payloads during installation that are called via Windows API CallWindowProc() to decode and then execute.[101]
Darkhotel has decrypted strings and imports using RC4 during execution.[102][103]
DarkTortilla can decrypt its payload and associated configuration elements using the Rijndael cipher.[104]
DarkWatchman has the ability to self-extract as a RAR archive.[105]
DDKONG decodes an embedded configuration using XOR.[106]
DEADEYE has the ability to combine multiple sections of a binary which were broken up to evade detection into a single .dll prior to execution.[64]
DEADWOOD XORs some strings within the binary using the value 0xD5, and deobfuscates these items at runtime.[9]
Denis will decrypt important strings used for C&C communication.[107]
DOWNIISSA can decode strings prior to execution.[108]
DropBook can unarchive data downloaded from the C2 to obtain the payload and persistence modules.[109]
Drovorub has de-obsfuscated XOR encrypted payloads in WebSocket messages.[110]
Dtrack has used a decryption routine that is part of an executable physical patch.[111]
DUSTPAN decodes and decrypts embedded payloads.[112]
DUSTTRAP deobfuscates embedded payloads.[112]
Dyre decrypts resources needed for targeting the victim.[113][114]
Earth Lusca has used certutil to decode a string into a cabinet file.[115]
Ebury has verified C2 domain ownership by decrypting the TXT record using an embedded RSA public key.[116]
Ecipekac has the ability to decrypt fileless loader modules.[117]
Egregor has been decrypted before execution.[118][119]
Embargo has utilized MDeployer to decrypt two payloads that contain MS4Killer toolkit b.cache and the Embargo ransomware executable a.cache with a hardcoded RC4 key wlQYLoPCil3niI7x8CvR9EtNtL/aeaHrZ23LP3fAsJogVTIzdnZ5Pi09ZVeHFkiB.[120]
Emotet has used a self-extracting RAR file to deliver modules to victims. Emotet has also extracted embedded executables from files using hard-coded buffer offsets.[121]
EnvyScout can deobfuscate and write malicious ISO files to disk.[49]
Exaramel for Linux can decrypt its configuration file.[122]
Exbyte decodes and decrypts data stored in the configuration file with a key provided on the command line during execution.[123]
Expand can be used to decompress a local or remote CAB file into an executable.[124]
FatDuke can decrypt AES encrypted C2 communications.[125]
FIN13 has utilized certutil to decode base64 encoded versions of custom malware.[126]
FIN7 has decoded a malicious PowerShell script using certutil -decode hex and has decoded an XOR-obfuscated block of data with the key qawsed1q2w3e, which led to the installation of Lizar.[127]
Final1stspy uses Python code to deobfuscate base64-encoded strings.[128]
FinFisher extracts and decrypts stage 3 malware, which is stored in encrypted resources.[129][130]
FIVEHANDS has the ability to decrypt its payload prior to execution.[131][132][133]
FoggyWeb can be decrypted in memory using a Lightweight Encryption Algorithm (LEA)-128 key and decoded using a XOR key.[134]
Fooder has decrypted payloads using the WinCrypt API and the AES key.[135]
FRAMESTING can decompress data received within POST requests.[62]
During Frankenstein, the threat actors deobfuscated Base64-encoded commands following the execution of a malicious script, which revealed a small script designed to obtain an additional payload.[136]
FYAnti has the ability to decrypt an embedded .NET module.[117]
Gamaredon Group tools decrypted additional payloads from the C2. Gamaredon Group has also decoded Base64-encoded source code of a downloader.[137][138][139] Additionally, Gamaredon Group has decoded Telegram content to reveal the IP address for C2 communications.[140]
Gelsemium can decompress and decrypt DLLs and shellcode.[76]
gh0st RAT has decrypted and loaded the gh0st RAT DLL into memory, once the initial dropper executable is launched.[141]
GLASSTOKEN has the ability to decode hexadecimal and Base64 C2 requests.[142]
GlassWorm has decoded its Base64 instructions.[143] GlassWorm has also decrypted its AES protected payloads.[144][143][145]
GoldMax has decoded and decrypted the configuration file when executed.[146][147]
Goopy has used a polymorphic decryptor to decrypt itself at runtime.[107]
Gootloader has the ability to decode and decrypt malicious payloads prior to execution.[148][149]
Gorgon Group malware can decode contents from a payload that was Base64 encoded and write the contents to a file.[150]
Grandoreiro can decrypt its encrypted internal strings.[151]
Green Lambert can use multiple custom routines to decrypt strings prior to execution.[152][153]
GrimAgent can use a decryption algorithm for strings based on Rotate on Right (RoR) and Rotate on Left (RoL) functionality.[154]
Hancitor has decoded Base64 encoded URLs to insert a recipient’s name into the filename of the Word document. Hancitor has also extracted executables from ZIP files.[155][156]
HeartCrypt can decrypt payloads prior to execution.[157][158]
HermeticWiper can decompress and copy driver files using LZCopy.[159]
HexEval Loader has decoded its payload prior to execution.[160][161][162]
Heyoka Backdoor can decrypt its payload prior to execution.[163]
HiddenFace has the ability to decrypt its payload prior to execution.[164][165]
HiddenWasp uses a cipher to implement a decoding function.[166]
Higaisa used certutil to decode Base64 binaries at runtime and a 16-byte XOR key to decrypt data.[167][168]
Hildegard has decrypted ELF files with AES.[169]
HTTPTroy has decoded strings encoded with Base64 and XOR prior to execution.[170]
HUI Loader can decrypt and load files containing malicious payloads.[171]
HyperBro can unpack and decrypt its payload prior to execution.[80][172]
IceApple can use a Base64-encoded AES key to decrypt tasking.[173]
Imminent Monitor has decoded malware components that are then dropped to the system.[174]
INC Ransomware can run CryptStringToBinaryA to decrypt base64 content containing its ransom note.[175]
Industroyer decrypts code to connect to a remote C2 server.[176]
InvisibleFerret has decoded XOR-encrypted and Base-64-encoded payloads prior to execution.[177]
InvisiMole can decrypt, unpack and load a DLL from its resources, or from blobs encrypted with Data Protection API, two-key triple DES, and variations of the XOR cipher.[178][179]
IronNetInjector has the ability to decrypt embedded .NET and PE payloads.[180]
IronWind can deobfuscate the next stage payload using Base64 and XOR operations with the key "53".[181]
ISMInjector uses the certutil command to decode a payload file.[182]
During Juicy Mix, OilRig used a script to concatenate and deobfuscate encoded strings in Mango.[183]
Kapeka utilizes obfuscated JSON structures for various data storage and configuration management items.[184]
Ke3chang has deobfuscated Base64-encoded shellcode strings prior to loading them.[185]
Kerrdown can decode, decrypt, and decompress multiple layers of shellcode.[186]
Kessel has decrypted the binary's configuration once the main function was launched.[187]
KEYPLUG can decode its configuration file to determine C2 protocols.[64]
KGH_SPY can decrypt encrypted strings and write them to a newly created folder.[188]
Kimsuky has decoded malicious VBScripts using Base64.[189] Kimsuky has also decoded malicious PowerShell scripts using Base64.[190][191] Kimsuky has decoded RC4 obfuscated files prior to downloading files from their infrastructure.[191]
Kobalos decrypts strings right after the initial communication, but before the authentication process.[192]
KOCTOPUS has deobfuscated itself before executing its commands.[193]
KONNI has used certutil to download and decode base64 encoded strings and has also devoted a custom section to performing all the components of the deobfuscation process.[194][195]
Kwampirs decrypts and extracts a copy of its main DLL payload when executing.[196]
LAMEHUG can decode and drop a decoy file attached to spearphishing emails.[197]
Latrodectus has the ability to deobfuscate encrypted strings.[198][199][200]
Lazarus Group has used shellcode within macros to decrypt and manually map DLLs and shellcode into memory at runtime.[201][202]
Leviathan has used a DLL known as SeDll to decrypt and execute other JavaScript backdoors.[203]
LightNeuron has used AES and XOR to decrypt configuration files and commands.[204]
LIGHTWIRE can RC4 decrypt and Base64 decode C2 commands.[62]
Line Dancer shellcode payloads are base64 encoded when transmitted to compromised devices.[205]
LiteDuke has the ability to decrypt and decode multiple layers of obfuscation.[125]
Lizar has decrypted its configuration data, such as the C2 IP address, ports and other network communication.[206][207]
LockBit 2.0 can decode scripts and strings in loaded modules.[208][209]
The LockBit 3.0 payload is decrypted at runtime.[210][211][212]
Lokibot has decoded and decrypted its stages multiple times using hard-coded keys to deliver the final payload, and has decoded its server response hex string using XOR.[213]
LookBack has a function that decrypts malicious data.[214]
LP-Notes has decrypted strings with lengths ranging from 15 to 19 characters using the same decryption key for each string.[135]
Lucifer can decrypt its C2 address upon execution.[215]
Lumma Stealer has used Base64-encoded content during execution, decoded via PowerShell.[216]
LunarLoader can deobfuscate files containing the next stages in the infection chain.[217]
LunarMail can decrypt strings to retrieve configuration settings.[217]
LunarWeb can decrypt strings related to communication configuration using RC4 with a static key.[217]
Machete’s downloaded data is decrypted using AES.[218]
MacMa decrypts a downloaded file using AES-128-EBC with a custom delta.[219]
Mafalda can decrypt files and data.[220]
MagicRAT stores command and control URLs using base64 encoding in the malware's configuration file.[221]
Malteiro has the ability to deobfuscate downloaded files prior to execution.[222]
Medusa Ransomware has decoded XOR encrypted strings prior to execution in memory.[223][224]
MegaCortex has used a Base64 key to decode its components.[225]
menuPass has used certutil in a macro to decode base64-encoded content contained in a dropper document attached to an email. The group has also used certutil -decode to decode files on the victim’s machine when dropping UPPERCUT.[226][227]
After checking for the existence of two files, keyword_parm.txt and parm.txt, MESSAGETAP XOR decodes and read the contents of the files. [228]
metaMain can decrypt and load other modules.[220]
Upon execution, Metamorfo has unzipped itself after being downloaded to the system and has performed string decryption.[229][230][231]
MirageFox has a function for decrypting data containing C2 configuration information.[232]
Mispadu decrypts its encrypted configuration files prior to execution.[222][233]
Molerats decompresses ZIP files once on the victim machine.[234]
Mongall has the ability to decrypt its payload prior to execution.[163]
Moonstone Sleet delivered payloads using multiple rounds of obfuscation and encoding to evade defenses and analysis.[235]
MOPSLED can decrypt obfuscated configuration files.[236]
More_eggs will decode malware components that are then dropped to the system.[237]
Mori can resolve networking APIs from strings that are ADD-encrypted.[238]
MuddyViper has decrypted the embedded HackBrowserData tool prior to execution.[135]
MuddyWater has decoded base64-encoded PowerShell, JavaScript, and VBScript.[239][240][241][242]
Mustang Panda has the ability to decrypt its payload prior to execution.[243][244][47][245] Mustang Panda has also utilized RC4 encryption for malicious payloads.[246][48]
NativeZone can decrypt and decode embedded Cobalt Strike beacon stage shellcode.[49]
Netwalker's PowerShell script can decode and decrypt multiple layers of obfuscation, leading to the Netwalker DLL being loaded into memory.[247]
Nightdoor stores network configuration data in a file XOR encoded with the key value of 0x7A.[248]
The Ninja loader component can decrypt and decompress the payload.[249][250]
NOKKI uses a unique, custom de-obfuscation technique.[251]
NOOPLDR can decrypt its payload prior to execution.[252]
ODAgent can Base64-decode and XOR decrypt received C2 commands.[253]
OilBooster can Base64-decode and XOR-decrypt C2 commands taken from JSON files.[253]
A OilRig macro has run a PowerShell command to decode file contents. OilRig has also used certutil to decode base64-encoded files on victims.[254][182][255][256]
Okrum's loader can decrypt the backdoor code, embedded within the loader or within a legitimate PNG file. A custom XOR cipher or RC4 is used for decryption.[257]
OnionDuke can use a custom decryption algorithm to decrypt strings.[125]
OopsIE concatenates then decompresses multiple resources to load an embedded .Net Framework assembly.[255]
During Operation Dust Storm, attackers used VBS code to decode payloads.[258]
During Operation Honeybee, malicious files were decoded prior to execution.[259]
For Operation Spalax, the threat actors used a variety of packers and droppers to decrypt malicious payloads.[260]
OSX/Shlayer can base64-decode and AES-decrypt downloaded payloads.[261] Versions of OSX/Shlayer pass encrypted and password-protected code to openssl and then write the payload to the /tmp folder.[262][263]
OSX_OCEANLOTUS.D uses a decode routine combining bit shifting and XOR operations with a variable key that depends on the length of the string that was encoded. If the computation for the variable XOR key turns out to be 0, the default XOR key of 0x1B is used. This routine is also referenced as the rotate function in reporting.[264]
P.A.S. Webshell can use a decryption mechanism to process a user supplied password and allow execution.[122]
PcShare has decrypted its strings by applying a XOR operation and a decompression using a custom implemented LZM algorithm.[75]
PHASEJAM has the ability to decode Base64 commands and data.[265]
PHPsert has the ability to decode and decrypt obfuscated strings prior to execution.[266]
Pikabot decrypts command and control URIs using ADVobfuscator, and decrypts IP addresses and port numbers with a custom algorithm.[267] Other versions of Pikabot decode chunks of stored stage 2 payload content in the initial payload .text section before consolidating them for further execution.[268] Overall LunarMail is associated with multiple encoding and encryption mechanisms to obfuscate the malware's presence and avoid analysis or detection.[269]
Pillowmint has been decompressed by included shellcode prior to being launched.[270]
PingPull can decrypt received data from its C2 server by using AES.[271]
PipeMon can decrypt password-protected executables.[272]
PITSTOP can deobfuscate base64 encoded and AES encrypted commands.[63]
PlugX decompresses and decrypts itself using the Microsoft API call RtlDecompressBuffer.[273][80][274] PlugX has also decrypted its payloads in memory.[275][276][244][245]
PoetRAT has used LZMA and base64 libraries to decode obfuscated scripts.[277]
PolyglotDuke can use a custom algorithm to decrypt strings used by the malware.[125]
PowerExchange can decode and decrypt C2 commands received via email.[278]
PowerLess can use base64 and AES ECB decryption prior to execution of downloaded modules.[279]
POWERSTATS can deobfuscate the main backdoor code.[241]
PowGoop can decrypt PowerShell scripts for execution.[238][280]
Proton uses an encrypted file to store commands and configuration values.[281]
PS1 can use an XOR key to decrypt a PowerShell loader and payload binary.[94]
Pteranodon can decrypt encrypted data strings prior to using them.[282]
PUBLOAD has decoded its payload prior to execution.[276][243][79][283][47]
PUNCHBUGGY has used PowerShell to decode base64-encoded assembly.[284]
PureCrypter can decrypt downloaded resources and parse internal files to determine its settings.[285][158]
PyDCrypt has decrypted and dropped the DCSrv payload to disk.[286]
QakBot can deobfuscate and re-assemble code strings for execution.[287][288][289]
QUADAGENT uses AES and a preshared key to decrypt the custom Base64 routine used to encode strings and scripts.[290]
QUIETCANARY can use a custom parsing routine to decode the command codes and additional parameters from the C2 before executing them.[291]
Raccoon Stealer uses RC4-encrypted, base64-encoded strings to obfuscate functionality and command and control servers.[292][293]
Raindrop decrypted its Cobalt Strike payload using an AES-256 encryption algorithm in CBC mode with a unique key per sample.[294][295]
RainyDay can decrypt its payload via a XOR key.[296]
Ramsay can extract its agent from the body of a malicious document.[297]
RansomHub can use a provided passphrase to decrypt its configuration file.[298]
RAPIDPULSE listens for specific HTTP query parameters in received communications. If specific parameters match, a hard-coded RC4 key is used to decrypt the HTTP query paremter hmacTime. This decrypts to a filename that is then open, read, encrypted with the same RC4 key, base64-encoded, written to standard out, then passed as a response to the HTTP request.[299]
Raspberry Robin contains several layers of obfuscation to hide malicious code from detection and analysis.[300]
RDAT can deobfuscate the base64-encoded and AES-encrypted files downloaded from the C2 server.[301]
RedLine Stealer has decoded its payload prior to execution.[302]
During RedPenguin, UNC3886 used malware implants to deobfuscate incoming C2 messages and encoded archives.[303][304]
RegDuke can decrypt strings with a key either stored in the Registry or hardcoded in the code.[125]
Remexi decrypts the configuration data using XOR with 25-character keys.[305]
The REPTILE launcher component can decrypt kernel module code from a file and load it into memory.[236]
REvil can decode encrypted strings to enable execution of commands and payloads.[306][307][308][309][310][311]
RGDoor decodes Base64 strings and decrypts strings using a custom XOR algorithm.[312]
RIFLESPINE can deobfuscate encrypted files prior to execution on targeted hosts.[236]
Rising Sun has decrypted itself using a single-byte XOR scheme. Additionally, Rising Sun can decrypt its configuration data at runtime.[313]
ROADSWEEP can decrypt embedded scripts prior to execution.[74][314]
ROAMINGHOUSE can decode and drop a malicious ZIP file prior to execution.[315]
Rocke has extracted tar.gz files after downloading them from a C2 server.[316]
RogueRobin decodes an embedded executable using base64 and decompresses it.[317]
ROKRAT can decrypt strings using the victim's hostname as the key.[318][319]
RotaJakiro uses the AES algorithm, bit shifts in a function called rotate, and an XOR cipher to decrypt resources required for persistence, process guarding, and file locking. It also performs this same function on encrypted stack strings and the head and key sections in the network packet structure used for C2 communications.[320]
RustyWater has used the WriteHexToFile function to transform an embedded hex string to the payload CertificationKit.ini.[321]
Sagerunex uses a custom decryption routine to unpack itself during installation.[322]
Saint Bot can deobfuscate strings and files for execution.[323]
SampleCheck5000 can decode and decrypt command line strings and files received through C2.[183][253]
Sandworm Team's VBS backdoor can decode Base64-encoded data and save it to the %TEMP% folder. The group also decrypted received information using the Triple DES algorithm and decompresses it using GZip.[324][325]
Sardonic can first decrypt with the RC4 algorithm using a hardcoded decryption key before decompressing.[326]
SDBbot has the ability to decrypt and decompress its payload to enable code execution.[327][328]
ShadowPad has decrypted a binary blob to start execution.[329]
Shamoon decrypts ciphertext using an XOR cipher and a base64-encoded string.[330]
SharePoint ToolShell Exploitation
During SharePoint ToolShell Exploitation, threat actors decrypted scripts prior to execution.[331]
Shark can extract and decrypt downloaded .zip files.[332]
SharpStage has decompressed data received from the C2 server.[333]
ShimRat has decompressed its core DLL using shellcode once an impersonated antivirus component was running on a system.[334]
Sibot can decrypt data received from a C2 and save to a file.[146]
SideTwist can decode and decrypt messages received from C2.[335]
Siloscape has decrypted the password of the C2 server with a simple byte by byte XOR. Siloscape also writes both an archive of Tor and the unzip binary to disk from data embedded within the payload using Visual Studio’s Resource Manager.[336]
Skidmap has the ability to download, unpack, and decrypt tar.gz files .[337]
SLIGHTPULSE can deobfuscate base64 encoded and RC4 encrypted C2 messages.[338]
Smoke Loader deobfuscates its code.[339]
Snip3 can decode its second-stage PowerShell script prior to execution.[340]
During the SolarWinds Compromise, APT29 used 7-Zip to decode their Raindrop malware.[294]
SombRAT can run upload to decrypt and upload files from storage.[94][132]
SoreFang can decode and decrypt exfiltrated data sent to C2.[341]
Spark has used a custom XOR algorithm to decrypt the payload.[342]
SPAWNCHIMERA has decoded a XOR encoded private key.[343]
Upon execution Spica can decode an embedded .pdf and write it to the desktop as a decoy document.[344]
SplatDropper has decoded XOR encrypted payload.[93]
SQLRat has scripts that are responsible for deobfuscating additional scripts.[345]
Squirrelwaffle has decrypted files and payloads using a XOR-based algorithm.[346][347]
Starloader decrypts and executes shellcode from a file called Stars.jps.[348]
StarProxy has decrypted network packets using a custom algorithm.[349]
STEADYPULSE can URL decode key/value pairs sent over C2.[338]
StealBit can deobfuscate loaded modules prior to execution.[208][350]
Storm-1811 has distributed password-protected archives such as ZIP files during intrusions.[351]
StrelaStealer payloads have included strings encrypted via XOR.[352] StrelaStealer JavaScript payloads utilize Base64-encoded payloads that are decoded via certutil to create a malicious DLL file.[353][354]
Stuxnet decrypts resources that are loaded into memory and executed.[355]
SUNSPOT decrypts SUNBURST, which was stored in AES128-CBC encrypted blobs.[356]
SystemBC has the ability to decrypt RC4 encrypted packets and to decode obfuscated data before C2 communication.[357] Additionally, SystemBC has decrypted its config file that was encoded with XOR and a hardcoded 40-byte key.[358]
SysUpdate can deobfuscate packed binaries in memory.[172]
TA505 has decrypted packed DLLs with an XOR key.[359]
Taidoor can use a stream cipher to decrypt stings used by the malware.[360]
TeamTNT has used a script that decodes a Base64-encoded version of WeaveWorks Scope.[361]
TEARDROP was decoded using a custom rolling XOR algorithm to execute a customized Cobalt Strike payload.[362][363][295]
THINCRUST can deobfuscate RSA encrypted C2 commands received through the DEVICEID cookie.[71]
During execution, Threat Group-3390 malware deobfuscates and decompresses code that was encoded with Metasploit’s shikata_ga_nai encoder as well as compressed with LZNT1 compression.[364]
ThreatNeedle can decrypt its payload using RC4, AES, or one-byte XORing.[365]
TONESHELL has decoded its payload prior to execution.[79][366][283][349][367]
Torisma has used XOR and Base64 to decode C2 data.[368]
TrickBot decodes the configuration data and modules.[369][370][371]
Tropic Trooper used shellcode with an XOR algorithm to decrypt a payload. Tropic Trooper also decrypted image files which contained a payload.[372][373]
TSCookie has the ability to decrypt, load, and execute a DLL and its resources.[374]
Tsundere Botnet’s loader has decrypted obfuscated JavaScript files using the AES-256 CBC algorithm, a build-specific key, and initialization vector.[375][376]
Turian has the ability to use a XOR decryption key to extract C2 server domains and IP addresses.[377]
Turla has used a custom decryption routine, which pulls key and salt values from other artifacts such as a WMI filter or PowerShell Profile, to decode encrypted PowerShell payloads.[378]
One TYPEFRAME variant decrypts an archive using an RC4 key, then decompresses and installs the decrypted malicious DLL module. Another variant decodes the embedded file by XORing it with the value "0x35".[379]
UPSTYLE encodes its main content prior to loading via Python as base64-encoded blobs.[380][381]
Uroburos can decrypt command parameters sent through C2 and use unpacking code to extract its packed executable.[382]
Ursnif has used crypto key information stored in the Registry to decrypt Tor clients dropped to disk.[383]
Valak has the ability to decode and decrypt downloaded files.[384][385]
VaporRage can deobfuscate XOR-encoded shellcode prior to execution.[49]
VERMIN decrypts code, strings, and commands to use once it's on the victim's machine.[386]
Volgmer deobfuscates its strings and APIs once its executed.[387]
Volt Typhoon has used Base64-encoded data to transfer payloads and commands, including deobfuscation via certutil.[388]
WarzoneRAT can use XOR 0x45 to decrypt obfuscated code.[389]
WastedLocker's custom cryptor, CryptOne, used an XOR based algorithm to decrypt the payload.[390]
Water Curupira Pikabot Distribution
Water Curupira Pikabot Distribution used highly obfuscated JavaScript files as one initial installer for Pikabot.[391]
Waterbear has the ability to decrypt its RC4 encrypted payload for execution.[392]
WellMail can decompress scripts received from C2.[393]
WellMess can decode and decrypt data received from C2.[394][395][396]
WhisperGate can deobfuscate downloaded files stored in reverse byte order and decrypt embedded resources using multiple XOR operations.[397][398]
WindTail has the ability to decrypt strings using hard-coded AES keys.[399]
Winnti for Linux has decoded XOR encoded strings holding its configuration upon execution.[400]
The Winnti for Windows dropper can decrypt and decompresses a data blob.[401]
Winter Vivern delivered exploit payloads via base64-encoded payloads in malicious email messages.[402]
WIREFIRE can decode, decrypt, and decompress data received in C2 HTTP POST requests.[403]
WIRTE has used Base64 to decode malicious VBS script.[404]
Woody RAT can deobfuscate Base64-encoded strings and scripts.[405]
xCaon has decoded strings from the C2 server before executing commands.[406]
XLoader uses XOR and RC4 algorithms to decrypt payloads and functions.[407] XLoader can be distributed as a self-extracting RAR archive that launches an AutoIT loader.[408]
XORIndex Loader can decode its payload prior to execution.[161]
YAHOYAH decrypts downloaded files before execution.[409]
Zebrocy decodes its secondary payload and writes it to the victim’s machine. Zebrocy also uses AES and XOR to decrypt strings and payloads.[410][411]
ZeroT shellcode decrypts and decompresses its RC4-encrypted payload.[412]
Zeus Panda decrypts strings in the code during the execution process.[413]
ZIRCONIUM has used the AES256 algorithm with a SHA1 derived key to decrypt exploit code.[414]