The MITRE ATT&CK T1027 Obfuscated Files or Information Technique

Concealing the true nature of malicious files and information is one of the most prevalent adversary techniques. Through the use of various obfuscation techniques, cyber threat actors have made their tools and scripts more challenging for security controls and human observers to understand and analyze. Obfuscation also allows adversaries to bypass signature-based detection, inhibit reverse engineering efforts, 

In this blog, we explain the T1027 Obfuscated Files or Information technique of the MITRE ATT&CK® framework and how adversaries employ its sub-techniques in attack campaigns in detail.

Download the Red Report - Top Ten MITRE ATT&CK Techniques

Adversary Use of Obfuscated Files or Information

Adversaries obfuscate malicious files, codes, commands, configurations, and other information to avoid detection by security controls. The most common obfuscation methods are:

• Changing the form of data: This method includes mechanisms that transform data to avoid detection, such as compression, archiving, packing, and archiving. Some of these mechanisms require user interaction to revert data to its original form, such as submitting a password to open a password-protected file.
• Changing the size of data: This method includes mechanisms, such as binary padding, that increase the size of a malicious file without affecting its functionality and behavior. The goal is to evade security tools that aren't configured to scan files larger than a specific size.
• Hiding malicious data: These mechanisms hide the malicious data in seemingly benign files. Before hiding in a file, the data can be split to decrease its detection rate. Steganography and HTML smuggling are some examples of this method.
• Obfuscating or removing indicators: This method includes mechanisms that are used to obfuscate or remove indicators of compromise from malicious files to avoid detection. File signatures, environment variables, characters, section names, and other platform/language/application-specific semantics are some indicators obfuscated/removed by attackers to bypass signature-based detections.
• Manipulating the code structure: Adversaries obfuscate the logical flow of their scripts through techniques such as code rearrangement, making it challenging for security analysts to analyze the true nature of the code.

Sub-techniques of T1027 Obfuscated Files or Information

#10.1. T1027.001 Binary Padding

Binary padding is adding junk data to the original malware binary to alter the malware's on-disk representation without affecting its functionality or behavior. Adversaries use binary padding to bypass certain security scanners that ignore files larger than a specified size and avoid hash-based static controls.

Adversaries employ binary padding to manipulate the on-disk representation of malware, introducing an element of obfuscation that challenges conventional security tools. Adding extraneous or "junk" data to the binary file is a common binary padding method that is used to surpass file size limitations imposed by certain security tools and to modify the checksum of the file, thereby evading hash-based blocklists and static antivirus signatures. This added data does not alter the functionality or behavior of the malware but serves to increase the overall file size. 

Some security solutions are designed with limitations on the maximum file size they can effectively handle. The inflated size resulting from binary padding can render these tools less effective, potentially causing them to skip or mishandle larger files during analysis. Many current cloud and on-premise antivirus and antimalware tools set the default maximum file size values of 25 MB, 100 MB, 120 MB, 150 MB, and 200 MB for files to be inspected. Files above the maximum file size will not be scanned by antivirus and antimalware tools. These tools also allow users to change or remove the size limit. 

Moreover, the maximum file size that public file scanning services can analyze is also limited. For example, the current file upload limit of VirusTotal is 650 MB.

For example, Emotet malware uses 00-byte padding to inflate the file size [1]. Adversaries use this technique to inflate the Emotet DLL with 00 bytes in the overlay, expanding the PE file from 616 KB to 548 MB. 

In another example, OriginBotnet uses the binary padding technique for defense evasion [2]. Adversaries inflate their loader to 400 MB by adding null bytes.

#10.2. T1027.002 Software Packing

Software packing is a method that combines compression and encryption of software to reduce its size and prevent it from reverse-engineering. Adversaries use software packing to conceal malicious software and avoid signature-based detection by changing the file signature.

Packers are utilities that are used for software packing. In most cases, packers can be loosely classified into three categories:

• Compressing packers are used to distribute executables in a compressed format, primarily to reduce the file's size.
• Encrypting packers are used to encrypt or obfuscate the distributed executable to prevent end-users from reverse engineering it.
• Hybrid packers are used to both compress and encrypt executable files.

For example, MPRESS and UPX are two examples of compressing packers, which are legitimately used to reduce the file size of executables. However, they are abused by malware developers to avoid signature-based detections. Additionally, packers can significantly slow down manual malware analysis, potentially enabling the malware for a longer dwell time. VMProtect, ASPack, Themida, Exe Packer, and Morphine are some other common packers. To decrease the detection rate, adversaries also use modified versions of packers. 

There are some indicators that indicate an executable is packed:

• Section names:   The majority of packers will assign their own section names to sections within the binary. For example, UPX uses UPX0, UPX1 MPRESS uses MPRESS1, MPRESS2, and VMProtect uses vmp0 and vmp1 as section names.
• Entropy values: The entropy of a file is a measure of the randomness of the characters contained within the file. When a file is compressed or encrypted, it will have high entropy.
• Import table: The Import Table of a packed file includes very few functions such as VirtualProtect, GetProcAddress, and LoadLibraryA, because the packed file hides the majority of the functions and leaves only those that are required during the unpacking process.

For example, the Chinese APT group Iron Tiger uses VMProtect to repackage components from a legitimate chat application along with malicious executables [3]. The tampered chat application is later used in phishing attacks.

#10.3. T1027.003 Steganography

Steganography is a technique for concealing secret data within a non-secret file or message in order to avoid detection. Thus, the secret message's existence is frequently difficult to detect. Steganography can be used to conceal almost any type of digital file within another digital file, including image, video, audio, or text files.

Steganography comes from two Greek words: steganos, which means "covered," and graphia, which means "writing." Steganography is an ancient practice that has been used in many forms to keep conversations hidden for thousands of years.

Although both cryptography and steganography share the nearly identical purpose of protecting a message or piece of information from third parties, they use entirely different approaches to protect the information. In cryptography, the content is concealed, and everyone knows that there is a secret message in the concealed content. However, in steganography, only the sender and intended recipient know the existence of the secret message. Modern digital steganography uses both steganography and cryptography. For example, the information to be hidden is first encrypted or obfuscated in some algorithms and then inserted into the cover file.

Adversaries use steganography to prevent the detection of hidden information. Many security controls allow image file formats. Embedding malicious payloads with steganography into images and hosting them on legitimate image-hosting platforms or on compromised websites allows adversaries to bypass security controls. Downloading images from these websites does not raise suspicion. Thus, adversaries commonly hide malicious payloads in image files.

For example, the APT37 threat group used the steganography technique in intelligence collection campaigns [4]. The threat group hid their M2RAT malware in JPEG files using steganography and delivered it via phishing emails. When unsuspecting victims open the file, the malware is injected into explorer.exe.

Download the Red Report - Top Ten MITRE ATT&CK Techniques

#10.4. T1027.004 Compile After Delivery

The Compile After Delivery technique involves delivering malicious files to victims as uncompiled code to make files challenging to discover and analyze. Malicious payloads as text-based source code files may bypass protections targeting executables/binaries. Prior to execution, these payloads must be compiled, typically using native utilities such as csc.exe or GCC/MinGW.

Adversaries use the Compile After Delivery technique to obfuscate their malicious intent by delivering payloads as uncompiled source code. Since security controls are designed to target executable binaries, text-based source code files often evade detection. Adversaries often employ native utilities such as csc.exe or GCC/MinGW to compile the source code into executable binaries. This deferred compilation process adds complexity to the detection and analysis of the payload, as the malicious components are only revealed when the code is compiled and executed on the victim's system. To further complicate analysis and evade detection, adversaries may also encrypt, encode, or embed source code payloads within other files. 

Adversaries exploit the inherent trust associated with certain file formats by delivering payloads in formats that are unrecognized or considered benign by the native operating system. For instance, delivering EXE files on macOS or Linux, which are traditionally associated with Windows executables, may trick users and security systems into a false sense of security. The adversary then includes a bundled compiler and execution framework to (re)compile the source code into a proper executable binary. This method of disguising the payload in an inconspicuous format before later transforming it into a recognizable executable further complicates the identification of malicious intent.

An Iranian threat group called Imperial Kitten deploys a downloader malware called IMAPLoader using the "Compile After Delivery" technique [5]. After initial access via a malicious Excel document, the C# source code file named source.cs is written to the disk. Then, adversaries compiled the source code into the IMAPLoader malware using the native C# compiler csc.exe. 

ProxyShellMiner malware also uses the csc.exe with InMemory compile parameters to execute embedded code modules [6].

#10.5. T1027.005 Indicator Removal from Tools

Antivirus and other security controls often look for indicators or artifacts of malware to identify and quarantine malicious tools. In response, adversaries modify their tools by removing the distinctive indicators that led to their detection and become undetectable by the target's defensive controls. This method is categorized as Indicator Removal from Tools in the MITRE ATT&CK framework.

Adversaries employ the "Indicator Removal from Tools" technique to remove or alter the identifiable features of the malware, such as modifying the file signature, obfuscating code patterns, or changing the encryption techniques employed. This new version of the malware is reintroduced into the targeted environment with a significantly reduced risk of being identified and neutralized by the defensive systems.

A typical example of this technique is changing the file signatures of a malware file. Suppose that an attacker realized that malware was detected because of its file signature. Then, the attacker will modify the file to avoid that signature and use this updated version in subsequent attacks. For example, some threat actors use the hashbusting method to obfuscate malware by subtly changing it on the fly. Thus, each sample has a different checksum.

Qakbot banking trojan uses this method to make the SHA256 hash of each payload downloaded from C2 servers unique [7].

Adversaries also obfuscate the variable names used in the executable file to avoid being detected by string analysis. For example, Vidar infostealer malware uses obfuscated stack strings within its executable files [8].

#10.6. T1027.006 HTML Smuggling

HTML smuggling is hiding malicious payloads inside HTML files through JavaScript Blobs and/or HTML5 download attributes. By using the HTML smuggling technique, adversaries can evade content filters of security controls by concealing malicious payloads within seemingly benign HTML files.

HTML5 introduced the download attribute for the anchor (<a>) tag. The download attribute indicates that when a user clicks on the hyperlink, the target (the file specified in the href attribute) will be downloaded.

A download attribute can also be created using JavaScript instead of HTML: 

Adversaries combine the download attribute with JavaScript Blobs (Binary Large Object). HTML documents have the ability to store large binary objects referred to as JavaScript Blobs [9]. A blob is a file-like object of immutable, raw data, and it can be read as text or binary data. Adversaries can use blobs in HTML files to store their malicious payloads. Since the final content may have benign MIME types such as text/plain and/or text/html, web content filters may not identify smuggled malicious files inside HTML/JS files. A Blob can be constructed locally using pure JavaScript [10]. 

This line creates a Blob of MIME-type text/plain and fills it with the data contained in variable maliciousData. Then, using URL.createObjectURL, we can generate a URL from the Blob object and associate it with an anchor point and a file name with the download attribute:

For example, QakBot data stealer malware uses the HTML Smuggling technique to trick users into thinking that the HTML attachment is harmless [11]. However, adversaries smuggled a malicious JavaScript file into the hyperlink tag in Base64 format. When users click the hyperlink, the dropped JavaScript file runs a PowerShell command that deploys QakBot in the victim's system.

Data URLs also enable malware developers to embed small malicious files inline in documents. For example, a base64 encoded malicious payload can be stored in a data URL with the following format:

Since the MIME type of this data URL is text/plain, it may evade some content filters.

#10.7. T1027.007 Dynamic API Resolution

Dynamic API resolution is a programming concept where the determination of which functions or methods to invoke in a software application is made at runtime rather than during the compilation phase. In traditional programming, Application Programming Interfaces (APIs) are typically resolved statically, meaning that the compiler identifies and links the specific functions or methods at compile time. In contrast, dynamic API resolution allows for flexibility in choosing and invoking functions or methods based on conditions that are evaluated at runtime. This approach is useful in scenarios where the exact implementation details or versions of APIs are unknown or may change dynamically during the execution of the program.

Adversaries commonly use Native API functions provided by the operating system to carry out diverse tasks involving processes, files, and other system artifacts. However, there is a risk that these API calls may leave static artifacts, such as strings in payload files. Malware analysts may use these artifacts and other structures, such as the import address table (IAT), to figure out which functions are executed by the malware. 

To eliminate this risk, adversaries turn to dynamic API resolution. The Dynamic API Resolution technique allows adversaries to obfuscate the API functions called by their malware to conceal the underlying functionalities and characteristics of the malware until runtime. 

One prevalent approach involves the use of hashes of API function names. These hashes or other identifiers act as cryptographic representations of the function names and are used by the malware to manually reproduce the linking and loading process through functions such as GetProcAddress() and LoadLibrary(). However, adversaries don't stop at hashes; they may further obfuscate these identifiers using encryption or other string manipulation tricks. This additional layer of obfuscation requires various forms of deobfuscation or decoding during the execution of the malware, adding complexity to the analysis process.

LobShot backdoor uses this common Dynamic API Resolution method [12]. The malware uses the functions below to resolve the names of the Windows APIs needed at runtime as opposed to placing the imports into the program ahead of time.

LockBit 3.0 ransomware uses a highly complicated method to employ the Dynamic API Resolution technique [13]. The malware reconstructs the Import Address Table (IAT) in three stages. In the first stage, the malware identifies DLLs within the system memory using string hashes. In the second stage, LockBit 3.0 extracts the API address by parsing the InLoadOrderModuleList and comparing the API name hash. In the third and final stage, the ransomware Arbitrarily selects one of the five available stubs for IAT reconstruction. Each stub retrieves the genuine API address through a circular shift and XOR operation using a hardcoded key.

#10.8. T1027.008 Stripped Payloads

A payload is a generic term for a malicious component designed to perform a specific action, such as exploiting a vulnerability or encrypting sensitive files. Adversaries conceal their payload within other data or code,  making it challenging for security controls to detect and mitigate the threat. Adversaries take this to the next step by removing unnecessary elements from the malicious code and streamlining it to its essential components. The resulting payloads are called stripped payloads, and they are more covert, efficient, and harder to detect by antivirus software or other security measures.

Symbols generated by an operating system's linker during the compilation of executable payloads play a crucial role in aiding developers and reverse engineers in understanding the code's functionality. Likewise, strings and variable names within scripts and executables serve as documentation for code functionality. Adversaries employ the Stripped Payloads technique to make malware analysis more challenging by eliminating symbols, strings, and other human-readable information. 

Adversaries intentionally strip away these human-readable elements by removing symbols and obfuscating strings. This action makes the code less comprehensible to both automated security tools and malware analysts. Compilers and other programming tools often provide features specifically designed to remove or obfuscate these elements, allowing adversaries to create stripped payloads that are more resilient to reverse engineering efforts.

macOS.OSAMiner is a crypto miner that leverages AppleScripts in run-only format to remove symbols and other identifiable information [14]. Adversaries inserted a decode function into the malware and called it multiple times to decode obfuscated strings of hex characters, allowing them to conceal the script's functionality and purpose.

In another example, adversaries used a malware dropper named dca.ELF to deploy XMRIG cryptominer [15]. The ELF file uses the Stripped Payload technique to hide its functionalities by removing symbols and strings after unpacking the binary.

Download the Red Report - Top Ten MITRE ATT&CK Techniques

#10.9. T1027.009 Embedded Payloads

Embedded payloads are discreet elements of code or data strategically inserted within a larger software. The term encapsulates the concept of incorporating specific functionalities, instructions, or data within a broader system, often with the intention of achieving specific goals or outcomes. Adversaries also utilize embedded payloads to place malicious code into seemingly harmless files or programs to exploit vulnerabilities, compromise system integrity, or gain unauthorized access. 

Adversaries leverage the Embedded Payloads technique to conceal malicious content within various file formats, a tactic aimed at evading detection by security controls. Seemingly benign files, such as scripts and executables, are used to obfuscate the true nature of these embedded payloads. 

Adversaries commonly nest their payloads inside a file of the same format to add an extra layer of complexity to the detection process and enable malware to capitalize on the familiarity of the file format. The use of similar formats contributes to confusing security controls to differentiate between legitimate and malicious content.

Snake malware is a great example of adversary use of the Embedded Payloads technique [16]. Snake malware evolved into a highly capable cyber espionage tool during its 20 years of development. Each feature is embedded into the malware as modules and adversaries use different configuration parameters to access the embedded executables. The list of embedded tools is given below.

#10.10. T1027.010 Command Obfuscation

Command obfuscation is used to conceal the functionality of commands or code. This technique involves various methods, such as encrypting or encoding command strings, using polymorphic techniques to dynamically alter code patterns, or employing other tactics to make the code appear benign at first glance. Command obfuscation adds layers of complexity to the code and acts as a barrier for automated security tools and malware analysts.

Adversaries use the Command Obfuscation technique to make threat detection more challenging for security controls. Adversaries manipulate strings and patterns within commands and scripts to evade signature-based detection and analysis. This form of obfuscation is commonly integrated into commands executed by delivered payloads, whether through phishing attacks or drive-by compromises or interactively via command and scripting interpreters.

Command obfuscation involves the deliberate abuse of syntax, utilizing various symbols and escape characters such as spacing, ^, +, $, and %. The technique aims to make commands convoluted and challenging to analyze while retaining their intended functionality. The example below shows that adversaries can add the caret '^' symbol to commands without affecting their functionality.

Many programming languages also provide built-in obfuscation mechanisms, such as base64 or URL encoding. Encoding a command obscures the original structure of the command, requiring defenders to decode and interpret it accurately to unveil the malicious activities. 

To create a labyrinth in the code structure, adversaries implement manual command obfuscation techniques like [17]: 

• string splitting: "Wor"+"d.Application"
• altering the order and casing of characters: rev <<<'dwssap/cte/ tac'
• globing: mkdir -p '/tmp/:&$NiA'

Directory traversal is another method for command obfuscation. Adversaries use directory traversal techniques to mask references to the binary being invoked by a command. For instance, a command may contain convoluted paths, such as 'C:/Windows/system32\.//\\\./\/\/.\calc.exe' exploiting the traversals to mislead analysts about the true location and purpose of the invoked binary [18].

Adversaries leverage specialized open-source tools like Invoke-Obfuscation and Invoke-DOSfuscation to automate obfuscation. These tools offer a range of obfuscation capabilities, from encoding and encrypting to implementing more advanced techniques [19][20]. 

Hive ransomware threat actors use a PowerShell payload obfuscated with Base64 encoding [21]. The payload acts as a stager and downloads additional malware such as reflective loaders and in-memory Meterpreter from an adversary-controlled web server.

#10.11. T1027.011 Fileless Storage

Fileless storage is a data storage approach that stores and manages information without the need for explicit files or directories. Unlike conventional storage methods, where data is organized into files and folders, fileless storage utilizes metadata tags and attributes to organize and retrieve data. This method aims to enhance data accessibility, improve scalability, and streamline the management of large and diverse datasets.

Adversaries utilize the Fileless Storage technique as a covert repository to store critical data and hide malicious activities. Since fileless data storage operates in the ephemeral realm of system memory, this technique allows malware to evade antivirus and other endpoint security tools designed to scan for specific file formats stored on disk. The dynamic nature of fileless storage enables adversaries to run their operations without leaving traces.

Adversaries commonly use non-volatile fileless storage such as Windows Registry, event logs, and WMI repositories. For example, the DarkWatchman malware uses Windows Registry fileless storage to store data collected from its keylogger [22]. Instead of writing the captured data to disk, the malware stores the captured data in the registry below. 

This technique allows adversaries to maintain a low-profile presence on a compromised system, ensuring their foothold persists over time. Additionally, collected data can be stored discreetly until exfiltration.

In another example, Pure Clipper malware uses the Fileless Storage technique to establish persistence in the compromised system [23]. After creating the registry below, adversaries stored their malicious payload in the registry that creates a scheduled task for persistence.

Adversaries also employ other obfuscation techniques, such as encryption, encoding, or splicing, when storing data in fileless formats. This adds an additional layer of complexity to the detection process and makes it significantly more challenging for security controls and malware analysts.

#10.12. T1027.012 LNK Icon Smuggling

LNK files are commonly used to represent shortcuts to executable programs or documents on a computer's desktop or in file directories. LNK Icon Smuggling is an adversary technique used to disguise malicious files by manipulating the icons associated with shortcut (LNK) files. By changing the icon associated with the LNK file, attackers can create a misleading visual representation that hides the true nature of the linked executable.

Adversaries manipulate the icon displayed on a shortcut file to deceive users into thinking it leads to a legitimate application or document. This method aims to trick users into clicking on what appears to be a harmless shortcut, but it may execute malicious code in the target system. 

Adversaries use the LNK Icon Smuggling technique by changing the IconEnvironmentDataBlock metadata field in Windows shortcut files. This particular field specifies the path to an icon file that will be displayed for the LNK file. For example, adversaries may craft an LNK file that points to a PowerShell payload with an icon of a PDF file [24][25].

Moreover, adversaries were observed to use LNK files to appear as legitimate files while downloading malware in the background. In June 2023, adversaries were observed to use the LNK Icon Smuggling technique to distribute Win32.Trojan.Pantera keylogger [26]. When an unsuspecting user clicks on the malicious LNK file, the file downloads two files: a PDF file and a VBS script. The PDF file is a legitimate file and opens automatically after it is downloaded. However, the VBS script is a malicious file that deploys a keylogger silently in the background.

References

[1] "Emotet Returns, Now Adopts Binary Padding for Evasion," Trend Micro, Mar. 13, 2023. Available: https://www.trendmicro.com/en_za/research/23/c/emotet-returns-now-adopts-binary-padding-for-evasion.html.

[2] C. Lin, "OriginBotnet Spreads via Malicious Word Document," Fortinet Blog, Sep. 11, 2023. Available: https://www.fortinet.com/blog/threat-research/originbotnet-spreads-via-malicious-word-document.

[3] "Iron Tiger's SysUpdate Reappears, Adds Linux Targeting," Trend Micro, Mar. 01, 2023. Available: https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html.

[4] February, "HWP Malware Using the Steganography Technique: RedEyes (ScarCruft)," ASEC BLOG, Feb. 21, 2023. Available: https://asec.ahnlab.com/en/48063/.

[5] PricewaterhouseCoopers, "Yellow Liderc ships its scripts and delivers IMAPLoader malware," PwC. Available: https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html.

[6] A. Shekalim and M. Dereviashkin, "ProxyShellMiner Campaign Creating Dangerous Backdoors," Feb. 15, 2023. Available: https://blog.morphisec.com/proxyshellminer-campaign.

[7] C. François, "QBOT Malware Analysis." Available: https://www.elastic.co/security-labs.

[8] "[No title]." Available: https://www.quorumcyber.com/wp-content/uploads/2023/01/Malware-Analysis-Vidar.pdf.

[9] "Blob," MDN Web Docs. Available: https://developer.mozilla.org/en-US/docs/Web/API/Blob.

[10] Stan, "HTML smuggling explained," Outflank, Aug. 14, 2018. Available: https://www.outflank.nl/blog/2018/08/14/html-smuggling-explained/.

[11] "QAKBOT Sneaks in Via HTML Smuggling and HTML Downloader." Available: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/spam/3730/qakbot-sneaks-in-via-html-smuggling-and-html-downloader.

[12] D. Stepanic, "Elastic Security Labs discovers the LOBSHOT malware." Available: https://www.elastic.co/security-labs.

[13] Mavis, "LockBit 3.0 Analysis: How to Enhance Ransomware and Malware Protection," TXOne Networks, Apr. 18, 2023. Available: https://www.txone.com/blog/malware-analysis-lockbit-3-0/.

[14] P. Stokes, "FADE DEAD," SentinelOne, Jan. 11, 2021. Available: https://www.sentinelone.com/labs/fade-dead-adventures-in-reversing-malicious-run-only-applescripts/.

[15] N. Yaakov, "Apache Applications Targeted by Stealthy Attacker," Jan. 10, 2024. Available: https://blog.aquasec.com/threat-alert-apache-applications-targeted-by-stealthy-attacker.

[16] "Hunting Russian Intelligence 'Snake' Malware," Cybersecurity and Infrastructure Security Agency CISA. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-129a.

[17] "Command Obfuscators — Bashfuscator 0.0.1 documentation." Available: https://bashfuscator.readthedocs.io/en/latest/Mutators/command_obfuscators/index.html.

[18] "Website." Available: https://www.blackhat.com/asia-18/briefings.html#invoke-dosfuscation-techniques-for-%f-in-style-do-s-level-cmd-obfuscation

[19] "GitHub - danielbohannon/Invoke-Obfuscation: PowerShell Obfuscator," GitHub. Available: https://github.com/danielbohannon/Invoke-Obfuscation.

[20] "GitHub - danielbohannon/Invoke-DOSfuscation: Cmd.exe Command Obfuscation Generator & Detection Test Harness," GitHub. Available: https://github.com/danielbohannon/Invoke-DOSfuscation.

[21] "From ScreenConnect to Hive Ransomware in 61 hours," The DFIR Report, Sep. 25, 2023. Available: https://thedfirreport.com/2023/09/25/from-screenconnect-to-hive-ransomware-in-61-hours/.

[22] O. Soneye, "DarkWatchman RAT detection with," Wazuh, Aug. 09, 2023. Available: https://wazuh.com/blog/darkwatchman-rat-detection/.

[23] "Fileless Pure Clipper Malware: Italian users in the crosshairs," Cyble, Oct. 18, 2023. Available: https://cyble.com/blog/fileless-pure-clipper-malware-italian-users-in-the-crosshairs/.

[24] F. Weyne, "Booby trap a shortcut with a backdoor." Available: https://www.uperesia.com/booby-trapped-shortcut.

[25] "LnkParse3," PyPI. Available: https://pypi.org/project/LnkParse3/.

[26] A. P. Turhan, "Deep Dive: Analysis of Shell Link (.lnk) Files," Docguard | Detect malwares in seconds!, Jul. 09, 2023. Available: https://www.docguard.io/deep-dive-analysis-of-shell-link-lnk-binary-file-format-and-malicious-lnk-files/.