MITRE ATT&CK Technique
Description
Adversaries can use binary padding to add junk data and change the on-disk representation of malware without affecting the functionality or behavior of the binary. This will often increase the size of the binary beyond what some security tools are capable of handling due to file size limitations. Binary padding effectively changes the checksum of the file and can also be used to avoid hash-based blacklists and static anti-virus signatures.(Citation: ESET OceanLotus) The padding used is commonly generated by a function to create junk data and then appended to the end or applied to sections of malware.(Citation: Securelist Malware Tricks April 2017) Increasing the file size may decrease the effectiveness of certain tools and detection capabilities that are not designed or configured to scan large files. This may also reduce the likelihood of being collected for analysis. Public file scanning services, such as VirusTotal, limits the maximum size of an uploaded file to be analyzed.(Citation: VirusTotal FAQ)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2017-05-31T21:30:22.096Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries can use binary padding to add junk data and '
'change the on-disk representation of malware without '
'affecting the functionality or behavior of the binary. This '
'will often increase the size of the binary beyond what some '
'security tools are capable of handling due to file size '
'limitations.\n'
'\n'
'Binary padding effectively changes the checksum of the file '
'and can also be used to avoid hash-based blacklists and '
'static anti-virus signatures.(Citation: ESET OceanLotus) The '
'padding used is commonly generated by a function to create '
'junk data and then appended to the end or applied to sections '
'of malware.(Citation: Securelist Malware Tricks April 2017) '
'Increasing the file size may decrease the effectiveness of '
'certain tools and detection capabilities that are not '
'designed or configured to scan large files. This may also '
'reduce the likelihood of being collected for analysis. Public '
'file scanning services, such as VirusTotal, limits the '
'maximum size of an uploaded file to be analyzed.(Citation: '
'VirusTotal FAQ)\n',
'external_references': [{'external_id': 'T1009',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1009'},
{'external_id': 'CAPEC-572',
'source_name': 'capec',
'url': 'https://capec.mitre.org/data/definitions/572.html'},
{'description': 'Foltýn, T. (2018, March 13). '
'OceanLotus ships new backdoor using '
'old tricks. Retrieved May 22, 2018.',
'source_name': 'ESET OceanLotus',
'url': 'https://www.welivesecurity.com/2018/03/13/oceanlotus-ships-new-backdoor/'},
{'description': 'Ishimaru, S.. (2017, April 13). Old '
'Malware Tricks To Bypass Detection '
'in the Age of Big Data. Retrieved '
'May 30, 2019.',
'source_name': 'Securelist Malware Tricks April 2017',
'url': 'https://securelist.com/old-malware-tricks-to-bypass-detection-in-the-age-of-big-data/78010/'},
{'description': 'VirusTotal. (n.d.). VirusTotal FAQ. '
'Retrieved May 23, 2019.',
'source_name': 'VirusTotal FAQ',
'url': 'https://www.virustotal.com/en/faq/'}],
'id': 'attack-pattern--519630c5-f03f-4882-825c-3af924935817',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'defense-evasion'}],
'modified': '2025-10-24T17:48:46.598Z',
'name': 'Binary Padding',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': True,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Martin Jirkal, ESET'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': False,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Linux', 'macOS', 'Windows'],
'x_mitre_version': '1.2'}