T1497.002 User Activity Based Checks in MITRE ATT&CK Explained

What Is T1497.002 User Activity Based Checks in MITRE ATT&CK?

T1497.002 User Activity-Based Checks is a technique in the MITRE ATT&CK framework used by adversaries to detect whether their malware is running in a real user environment or a sandbox. By inspecting user-specific behaviors, attackers can determine the presence of a virtualized or isolated analysis environment.

Common methods include checking user directories like Desktop or Documents for files, examining browser history and cache, and monitoring real-time user interactions such as mouse movements and clicks.

They may also analyze process counts and network activity to further identify the environment. If the malware detects characteristics typical of a sandbox or analysis environment, it remains dormant to avoid detection, allowing the attacker to bypass security measures and increase the chances of successful execution in a real-world environment.

To read about other sub-techniques of the T1497 Virtualization and Sandbox Evasion technique, you can visit the related hub blog.

Adversary Use of T1497.002 User Activity Based Checks

Adversaries embed user‑activity checks to evade automated analysis tools (sandboxes, virtual machines) and avoid revealing malicious behavior during inspection.

For example:

• Some payloads will only activate after detecting a human interacting with the system, e.g. waiting until the user closes a document or double‑clicks an embedded image (common in macro-based malware).
• Others periodically check mouse cursor movement or click frequency. If the cursor hasn't moved or there are no clicks (common in sandbox runs), the malware assumes it's in a sandbox and aborts execution or remains inert.
• Malware may inspect the filesystem and user profile for signs of regular usage (e.g. browser history, files in Desktop or Documents). A "clean" profile might trigger evasive behavior, while a "populated" profile suggests a real user environment, only then does the malicious behavior unfold.

This approach dramatically reduces the chance that automated analysis (by sandbox, VM, or EDR product) will capture the malicious behavior, because such environments rarely replicate habitual user behavior (mouse/keyboard input, browsing history, many files, typical process counts, etc.).

As a result, adversaries can deliver payloads that remain stealthy during analysis, and only "go live" once they detect they're running on a real user device. That increases their chances of bypassing detection, sandbox‑based analysis, or even some behavioral security tools.

Procedure Examples From Red Report 2026

After two consecutive years in which it did not appear in the Top 10 (2024 and 2025), the Virtualization and Sandbox Evasion technique reemerged in Red Report 2026 as one of the most commonly used techniques.

A perfect example of this technique can be found in the analysis of LummaC2 malware v4.0, conducted in November 2025 [1]. This malware employs a strategy designed to delay execution indefinitely unless it detects a specific pattern of user activity, a pattern highly unlikely to be replicated by automated sandboxes.

1. Initial Mouse Movement Check

The malware first initiates a waiting loop to ensure the mouse cursor has moved at least once.

• It starts by getting the initial cursor position using the GetCursorPos() Windows API call.
• It then enters a loop, waiting for 300 milliseconds (Sleep(300)), and then recaptures the cursor position.
• If the new position is the same as the initial one, it repeats the wait. This continues until any mouse movement is detected, signifying at least some level of interactivity.

2. Capturing Movement Data

Once initial movement is confirmed, the malware must capture a short sequence of positions to analyze the movement's quality.

• It captures five consecutive cursor positions (P0, P1, P2, P3, P4) by repeatedly calling GetCursorPos().
• A short pause of 50 milliseconds (Sleep(50)) is inserted between each capture.
• Critically, it then checks that every captured position is different from its preceding one: (P0 != P1) && (P1 != P2) && (P2 != P3) && (P3 != P4). If this condition fails (meaning the mouse stopped briefly during the capture window), the entire process starts over from the 300ms wait. This ensures the movement is continuous and fast.

3. Human Behavior Detection via Trigonometry

The final, most sophisticated step uses mathematics to confirm the movement is smooth and human-like.

Figure. Use of Euclidean Distance Formulate for 5 Cursers [1]

• The five captured cursor positions (P0 through P4) are treated as points forming four vectors: P01, P12, P23, and P34.
• The malware calculates the magnitude (distance) of each vector using the Euclidean distance formula.
• It then calculates the angle formed between the three consecutive vector pairs (P01-P12, P12-P23, and P23-P34) using the dot product of the vector formula. The resulting angle in radians is then converted to degrees.
• Finally, it compares each calculated angle against a hardcoded threshold of 45.0 degrees.

If all calculated angles are lower than 45º, the malware concludes that it has detected "human" mouse behavior (smooth movement without abrupt changes in direction) and continues with its malicious execution.

If any calculated angle is bigger than 45º, it assumes the movement is non-human (likely automated or erratic) and restarts the entire anti-sandbox process.

This technique ensures that automated sandboxes that only emulate simple, straight-line, or low-frequency movements will fail the check, causing the malware to remain inert. It provides an excellent, verifiable example of User Activity Based Checks by focusing on the quality of user interaction rather than just its presence.

Validate Your Defenses Against the Red Report 2026 Threats

References

[1] “Analyzing LummaC2 stealer’s novel Anti-Sandbox technique: Leveraging trigonometry for human behavior detection,” Outpost24, Nov. 20, 2023. Available: https://outpost24.com/blog/lummac2-anti-sandbox-technique-trigonometry-human-detection/.