MITRE ATT&CK Technique
Description
Adversaries may abuse components of the Electron framework to execute malicious code. The Electron framework hosts many common applications such as Signal, Slack, and Microsoft Teams.(Citation: Electron 2) Originally developed by GitHub, Electron is a cross-platform desktop application development framework that employs web technologies like JavaScript, HTML, and CSS.(Citation: Electron 3) The Chromium engine is used to display web content and Node.js runs the backend code.(Citation: Electron 1) Due to the functional mechanics of Electron (such as allowing apps to run arbitrary commands), adversaries may also be able to perform malicious functions in the background potentially disguised as legitimate tools within the framework.(Citation: Electron 1) For example, the abuse of `teams.exe` and `chrome.exe` may allow adversaries to execute malicious commands as child processes of the legitimate application (e.g., `chrome.exe --disable-gpu-sandbox --gpu-launcher="C:\Windows\system32\cmd.exe /c calc.exe`).(Citation: Electron 6-8) Adversaries may also execute malicious content by planting malicious [JavaScript](https://attack.mitre.org/techniques/T1059/007) within Electron applications.(Citation: Electron Security)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2024-03-07T19:32:35.383Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may abuse components of the Electron framework to '
'execute malicious code. The Electron framework hosts many '
'common applications such as Signal, Slack, and Microsoft '
'Teams.(Citation: Electron 2) Originally developed by GitHub, '
'Electron is a cross-platform desktop application development '
'framework that employs web technologies like JavaScript, '
'HTML, and CSS.(Citation: Electron 3) The Chromium engine is '
'used to display web content and Node.js runs the backend '
'code.(Citation: Electron 1)\n'
'\n'
'Due to the functional mechanics of Electron (such as allowing '
'apps to run arbitrary commands), adversaries may also be able '
'to perform malicious functions in the background potentially '
'disguised as legitimate tools within the framework.(Citation: '
'Electron 1) For example, the abuse of `teams.exe` and '
'`chrome.exe` may allow adversaries to execute malicious '
'commands as child processes of the legitimate application '
'(e.g., `chrome.exe --disable-gpu-sandbox '
'--gpu-launcher="C:\\Windows\\system32\\cmd.exe /c '
'calc.exe`).(Citation: Electron 6-8)\n'
'\n'
'Adversaries may also execute malicious content by planting '
'malicious '
'[JavaScript](https://attack.mitre.org/techniques/T1059/007) '
'within Electron applications.(Citation: Electron Security)',
'external_references': [{'external_id': 'T1218.015',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1218/015'},
{'description': 'Alanna Titterington. (2023, '
'September 14). Security of '
'Electron-based desktop applications. '
'Retrieved March 7, 2024.',
'source_name': 'Electron 3',
'url': 'https://www.kaspersky.com/blog/electron-framework-security-issues/49035/'},
{'description': 'ElectronJS.org. (n.d.). Retrieved '
'March 7, 2024.',
'source_name': 'Electron Security',
'url': 'https://www.electronjs.org/docs/latest/tutorial/using-native-node-modules'},
{'description': 'Kosayev, U. (2023, June 15). One '
'Electron to Rule Them All. Retrieved '
'March 7, 2024.',
'source_name': 'Electron 6-8',
'url': 'https://medium.com/@MalFuzzer/one-electron-to-rule-them-all-dc2e9b263daf'},
{'description': 'TOM ABAI. (2023, August 10). There’s '
'a New Stealer Variant in Town, and '
'It’s Using Electron to Stay Fully '
'Undetected. Retrieved March 7, 2024.',
'source_name': 'Electron 1',
'url': 'https://www.mend.io/blog/theres-a-new-stealer-variant-in-town-and-its-using-electron-to-stay-fully-undetected/'},
{'description': 'Trend Micro. (2023, June 6). Abusing '
'Electronbased applications in '
'targeted attacks. Retrieved March 7, '
'2024.',
'source_name': 'Electron 2',
'url': 'https://www.first.org/resources/papers/conf2023/FIRSTCON23-TLP-CLEAR-Horejsi-Abusing-Electron-Based-Applications-in-Targeted-Attacks.pdf'}],
'id': 'attack-pattern--561ae9aa-c28a-4144-9eec-e7027a14c8c3',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'defense-evasion'}],
'modified': '2025-04-15T22:24:54.174Z',
'name': 'Electron Applications',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Debabrata Sharma'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Linux', 'macOS', 'Windows'],
'x_mitre_version': '1.0'}