MITRE ATT&CK Technique
Description
Adversaries may develop malware and malware components that can be used during targeting. Building malicious software can include the development of payloads, droppers, post-compromise tools, backdoors (including backdoored images), packers, C2 protocols, and the creation of infected removable media. Adversaries may develop malware to support their operations, creating a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.(Citation: Mandiant APT1)(Citation: Kaspersky Sofacy)(Citation: ActiveMalwareEnergy)(Citation: FBI Flash FIN7 USB) During malware development, adversaries may intentionally include indicators aligned with other known actors in order to mislead attribution by defenders.(Citation: Olympic Destroyer)(Citation: Risky Bulletin Threat actor impersonates FSB APT)(Citation: GamaCopy organization) As with legitimate development efforts, different skill sets may be required for developing malware. The skills needed may be located in-house, or may need to be contracted out. Use of a contractor may be considered an extension of that adversary's malware development capabilities, provided the adversary plays a role in shaping requirements and maintains a degree of exclusivity to the malware. Some aspects of malware development, such as C2 protocol development, may require adversaries to obtain additional infrastructure. For example, malware developed that will communicate with Twitter for C2, may require use of [Web Services](https://attack.mitre.org/techniques/T1583/006).(Citation: FireEye APT29)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2020-10-01T01:33:01.433Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may develop malware and malware components that '
'can be used during targeting. Building malicious software can '
'include the development of payloads, droppers, '
'post-compromise tools, backdoors (including backdoored '
'images), packers, C2 protocols, and the creation of infected '
'removable media. Adversaries may develop malware to support '
'their operations, creating a means for maintaining control of '
'remote machines, evading defenses, and executing '
'post-compromise behaviors.(Citation: Mandiant APT1)(Citation: '
'Kaspersky Sofacy)(Citation: ActiveMalwareEnergy)(Citation: '
'FBI Flash FIN7 USB)\n'
'\n'
'During malware development, adversaries may intentionally '
'include indicators aligned with other known actors in order '
'to mislead attribution by defenders.(Citation: Olympic '
'Destroyer)(Citation: Risky Bulletin Threat actor impersonates '
'FSB APT)(Citation: GamaCopy organization)\n'
'\n'
'As with legitimate development efforts, different skill sets '
'may be required for developing malware. The skills needed may '
'be located in-house, or may need to be contracted out. Use of '
'a contractor may be considered an extension of that '
"adversary's malware development capabilities, provided the "
'adversary plays a role in shaping requirements and maintains '
'a degree of exclusivity to the malware.\n'
'\n'
'Some aspects of malware development, such as C2 protocol '
'development, may require adversaries to obtain additional '
'infrastructure. For example, malware developed that will '
'communicate with Twitter for C2, may require use of [Web '
'Services](https://attack.mitre.org/techniques/T1583/006).(Citation: '
'FireEye APT29)',
'external_references': [{'external_id': 'T1587.001',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1587/001'},
{'description': 'Catalin Cimpanu. (2025, January 22). '
'Risky Bulletin: Threat actor '
'impersonates FSB APT for months to '
'target Russian orgs. Retrieved June '
'14, 2025.',
'source_name': 'Risky Bulletin Threat actor '
'impersonates FSB APT',
'url': 'https://news.risky.biz/risky-bulletin-threat-actor-impersonates-fsb-apt-for-months-to-target-russian-orgs/'},
{'description': 'Dan Goodin. (2014, June 30). Active '
'malware operation let attackers '
'sabotage US energy industry. '
'Retrieved March 9, 2017.',
'source_name': 'ActiveMalwareEnergy',
'url': 'https://arstechnica.com/information-technology/2014/06/active-malware-operation-let-attackers-sabotage-us-energy-industry/'},
{'description': 'FireEye Labs. (2015, July). '
'HAMMERTOSS: Stealthy Tactics Define '
'a Russian Cyber Threat Group. '
'Retrieved November 17, 2024.',
'source_name': 'FireEye APT29',
'url': 'https://services.google.com/fh/files/misc/rpt-apt29-hammertoss-stealthy-tactics-define-en.pdf'},
{'description': "Kaspersky Lab's Global Research and "
'Analysis Team. (2015, December 4). '
'Sofacy APT hits high profile targets '
'with updated toolset. Retrieved '
'December 10, 2015.',
'source_name': 'Kaspersky Sofacy',
'url': 'https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/'},
{'description': 'Knownsec 404 Advanced Threat '
'Intelligence team. (2025, January '
'21). Love and hate under war: The '
'GamaCopy organization, which '
'imitates the Russian Gamaredon, uses '
'military — related bait to launch '
'attacks on Russia. Retrieved June '
'14, 2025.',
'source_name': 'GamaCopy organization',
'url': 'https://medium.com/@knownsec404team/love-and-hate-under-war-the-gamacopy-organization-which-imitates-the-russian-gamaredon-uses-560ba5e633fa'},
{'description': 'Mandiant. (n.d.). APT1 Exposing One '
'of China’s Cyber Espionage Units. '
'Retrieved July 18, 2016.',
'source_name': 'Mandiant APT1',
'url': 'https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf'},
{'description': 'Paul Rascagneres, Martin Lee. (2018, '
'February 26). Who Wasn’t Responsible '
'for Olympic Destroyer?. Retrieved '
'June 14, 2025.',
'source_name': 'Olympic Destroyer',
'url': 'https://blog.talosintelligence.com/who-wasnt-responsible-for-olympic/'},
{'description': 'The Record. (2022, January 7). FBI: '
'FIN7 hackers target US companies '
'with BadUSB devices to install '
'ransomware. Retrieved January 14, '
'2022.',
'source_name': 'FBI Flash FIN7 USB',
'url': 'https://therecord.media/fbi-fin7-hackers-target-us-companies-with-badusb-devices-to-install-ransomware/'}],
'id': 'attack-pattern--212306d8-efa4-44c9-8c2d-ed3d2e224aa0',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'resource-development'}],
'modified': '2025-10-24T17:48:30.776Z',
'name': 'Malware',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.3.0',
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['PRE'],
'x_mitre_version': '1.3'}