MITRE ATT&CK Technique
Description
Adversaries may attempt to gather information about the system language of a victim in order to infer the geographical location of that host. This information may be used to shape follow-on behaviors, including whether the adversary infects the target and/or attempts specific actions. This decision may be employed by malware developers and operators to reduce their risk of attracting the attention of specific law enforcement agencies or prosecution/scrutiny from other entities.(Citation: Malware System Language Check) There are various sources of data an adversary could use to infer system language, such as system defaults and keyboard layouts. Specific checks will vary based on the target and/or adversary, but may involve behaviors such as [Query Registry](https://attack.mitre.org/techniques/T1012) and calls to [Native API](https://attack.mitre.org/techniques/T1106) functions.(Citation: CrowdStrike Ryuk January 2019) For example, on a Windows system adversaries may attempt to infer the language of a system by querying the registry key <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\Language</code> or parsing the outputs of Windows API functions <code>GetUserDefaultUILanguage</code>, <code>GetSystemDefaultUILanguage</code>, <code>GetKeyboardLayoutList</code> and <code>GetUserDefaultLangID</code>.(Citation: Darkside Ransomware Cybereason)(Citation: Securelist JSWorm)(Citation: SecureList SynAck Doppelgänging May 2018) On a macOS or Linux system, adversaries may query <code>locale</code> to retrieve the value of the <code>$LANG</code> environment variable.
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2021-08-18T14:06:45.244Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may attempt to gather information about the '
'system language of a victim in order to infer the '
'geographical location of that host. This information may be '
'used to shape follow-on behaviors, including whether the '
'adversary infects the target and/or attempts specific '
'actions. This decision may be employed by malware developers '
'and operators to reduce their risk of attracting the '
'attention of specific law enforcement agencies or '
'prosecution/scrutiny from other entities.(Citation: Malware '
'System Language Check)\n'
'\n'
'There are various sources of data an adversary could use to '
'infer system language, such as system defaults and keyboard '
'layouts. Specific checks will vary based on the target and/or '
'adversary, but may involve behaviors such as [Query '
'Registry](https://attack.mitre.org/techniques/T1012) and '
'calls to [Native '
'API](https://attack.mitre.org/techniques/T1106) '
'functions.(Citation: CrowdStrike Ryuk January 2019) \n'
'\n'
'For example, on a Windows system adversaries may attempt to '
'infer the language of a system by querying the registry key '
'<code>HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Nls\\Language</code> '
'or parsing the outputs of Windows API functions '
'<code>GetUserDefaultUILanguage</code>, '
'<code>GetSystemDefaultUILanguage</code>, '
'<code>GetKeyboardLayoutList</code> and '
'<code>GetUserDefaultLangID</code>.(Citation: Darkside '
'Ransomware Cybereason)(Citation: Securelist JSWorm)(Citation: '
'SecureList SynAck Doppelgänging May 2018)\n'
'\n'
'On a macOS or Linux system, adversaries may query '
'<code>locale</code> to retrieve the value of the '
'<code>$LANG</code> environment variable.',
'external_references': [{'external_id': 'T1614.001',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1614/001'},
{'description': 'Cybereason Nocturnus. (2021, April '
'1). Cybereason vs. Darkside '
'Ransomware. Retrieved August 18, '
'2021.',
'source_name': 'Darkside Ransomware Cybereason',
'url': 'https://www.cybereason.com/blog/cybereason-vs-darkside-ransomware'},
{'description': 'Fedor Sinitsyn. (2021, May 25). '
'Evolution of JSWorm Ransomware. '
'Retrieved August 18, 2021.',
'source_name': 'Securelist JSWorm',
'url': 'https://securelist.com/evolution-of-jsworm-ransomware/102428/'},
{'description': 'Hanel, A. (2019, January 10). Big '
'Game Hunting with Ryuk: Another '
'Lucrative Targeted Ransomware. '
'Retrieved May 12, 2020.',
'source_name': 'CrowdStrike Ryuk January 2019',
'url': 'https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/'},
{'description': 'Ivanov, A. et al. (2018, May 7). '
'SynAck targeted ransomware uses the '
'Doppelgänging technique. Retrieved '
'May 22, 2018.',
'source_name': 'SecureList SynAck Doppelgänging May '
'2018',
'url': 'https://securelist.com/synack-targeted-ransomware-uses-the-doppelganging-technique/85431/'},
{'description': 'Pierre-Marc Bureau. (2009, January '
'15). Malware Trying to Avoid Some '
'Countries. Retrieved August 18, '
'2021.',
'source_name': 'Malware System Language Check',
'url': 'https://www.welivesecurity.com/2009/01/15/malware-trying-to-avoid-some-countries/'}],
'id': 'attack-pattern--c1b68a96-3c48-49ea-a6c0-9b27359f9c19',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'discovery'}],
'modified': '2025-10-24T17:49:20.039Z',
'name': 'System Language Discovery',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Harshal Tupsamudre, Qualys'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Linux', 'macOS', 'Windows'],
'x_mitre_version': '1.1'}