MITRE ATT&CK Technique
Description
Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Similar to [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027), text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as csc.exe or GCC/MinGW.(Citation: ClearSky MuddyWater Nov 2018) Source code payloads may also be encrypted, encoded, and/or embedded within other files, such as those delivered as a [Spearphishing Attachment](https://attack.mitre.org/techniques/T1193). Payloads may also be delivered in formats unrecognizable and inherently benign to the native OS (ex: EXEs on macOS/Linux) before later being (re)compiled into a proper executable binary with a bundled compiler and execution framework.(Citation: TrendMicro WindowsAppMac)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2019-04-25T20:53:07.719Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may attempt to make payloads difficult to '
'discover and analyze by delivering files to victims as '
'uncompiled code. Similar to [Obfuscated Files or '
'Information](https://attack.mitre.org/techniques/T1027), '
'text-based source code files may subvert analysis and '
'scrutiny from protections targeting executables/binaries. '
'These payloads will need to be compiled before execution; '
'typically via native utilities such as csc.exe or '
'GCC/MinGW.(Citation: ClearSky MuddyWater Nov 2018)\n'
'\n'
'Source code payloads may also be encrypted, encoded, and/or '
'embedded within other files, such as those delivered as a '
'[Spearphishing '
'Attachment](https://attack.mitre.org/techniques/T1193). '
'Payloads may also be delivered in formats unrecognizable and '
'inherently benign to the native OS (ex: EXEs on macOS/Linux) '
'before later being (re)compiled into a proper executable '
'binary with a bundled compiler and execution '
'framework.(Citation: TrendMicro WindowsAppMac)\n',
'external_references': [{'external_id': 'T1500',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1500'},
{'description': 'ClearSky Cyber Security. (2018, '
'November). MuddyWater Operations in '
'Lebanon and Oman: Using an Israeli '
'compromised domain for a two-stage '
'campaign. Retrieved November 29, '
'2018.',
'source_name': 'ClearSky MuddyWater Nov 2018',
'url': 'https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf'},
{'description': 'Trend Micro. (2019, February 11). '
'Windows App Runs on Mac, Downloads '
'Info Stealer and Adware. Retrieved '
'April 25, 2019.',
'source_name': 'TrendMicro WindowsAppMac',
'url': 'https://blog.trendmicro.com/trendlabs-security-intelligence/windows-app-runs-on-mac-downloads-info-stealer-and-adware/'}],
'id': 'attack-pattern--cf7b3a06-8b42-4c33-bbe9-012120027925',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'defense-evasion'}],
'modified': '2025-10-24T17:49:24.988Z',
'name': 'Compile After Delivery',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': True,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Ye Yint Min Thu Htut, Offensive Security Team, DBS '
'Bank',
'Praetorian'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': False,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Linux', 'macOS', 'Windows'],
'x_mitre_version': '1.1'}