Description
Adversaries may use junk code / dead code to obfuscate a malware’s functionality. Junk code is code that either does not execute, or if it does execute, does not change the functionality of the code. Junk code makes analysis more difficult and time-consuming, as the analyst steps through non-functional code instead of analyzing the main code. It also may hinder detections that rely on static code analysis due to the use of benign functionality, especially when combined with Compression or Software Packing.(Citation: ReasonLabs)(Citation: ReasonLabs Cyberpedia Junk Code)
No-Operation (NOP) instructions are an example of dead code commonly used in x86 assembly language. They are commonly used as the 0x90 opcode. When NOPs are added to malware, the disassembler may show the NOP instructions, leading to the analyst needing to step through them.(Citation: ReasonLabs)
The use of junk / dead code insertion is distinct from Binary Padding because the purpose is to obfuscate the functionality of the code, rather than simply to change the malware’s signature.
Platforms
Mitigations (1)
Antivirus/AntimalwareM1049
Anti-virus can be used to automatically detect and quarantine suspicious files. Behavior-based detections, rather than reliance on static code analysis, may help to identify malicious files that rely heavily on junk code.(Citation: ReasonLabs)
Threat Groups (6)
| ID | Group | Context |
|---|---|---|
| G0046 | FIN7 | [FIN7](https://attack.mitre.org/groups/G0046) has used random junk code to obfuscate malware code.(Citation: Mandiant FIN7 Apr 2022) |
| G0099 | APT-C-36 | [APT-C-36](https://attack.mitre.org/groups/G0099) has used junk characters to obfuscate malicious scripts.(Citation: Recorded Future TAG-144 AUG 2025) |
| G0047 | Gamaredon Group | [Gamaredon Group](https://attack.mitre.org/groups/G0047) has obfuscated .NET executables by inserting junk code.(Citation: ESET Gamaredon June 2020) |
| G0094 | Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has obfuscated code by filling scripts with junk code and concatenating strings to hamper analysis an... |
| G0050 | APT32 | [APT32](https://attack.mitre.org/groups/G0050) includes garbage code to mislead anti-malware software and researchers.(Citation: ESET OceanLotus)(Cita... |
| G0129 | Mustang Panda | [Mustang Panda](https://attack.mitre.org/groups/G0129) has used junk code within their DLL files to hinder analysis.(Citation: Eset PlugX Korplug Must... |
Associated Software (18)
| ID | Name | Type | Context |
|---|---|---|---|
| S0449 | Maze | Malware | [Maze](https://attack.mitre.org/software/S0449) has inserted large blocks of junk code, including some components to decrypt strings and other importa... |
| S0117 | XTunnel | Malware | A version of [XTunnel](https://attack.mitre.org/software/S0117) introduced in July 2015 inserted junk code into the binary in a likely attempt to obfu... |
| S1183 | StrelaStealer | Malware | [StrelaStealer](https://attack.mitre.org/software/S1183) variants have included excessive mathematical functions padding the binary and slowing execut... |
| S0248 | yty | Malware | [yty](https://attack.mitre.org/software/S0248) contains junk code in its binary, likely to confuse malware analysts.(Citation: ASERT Donot March 2018) |
| S0230 | ZeroT | Malware | [ZeroT](https://attack.mitre.org/software/S0230) has obfuscated DLLs and functions using dummy API calls inserted between real instructions.(Citation:... |
| S0453 | Pony | Malware | [Pony](https://attack.mitre.org/software/S0453) obfuscates memory flow by adding junk instructions when executing to make analysis more difficult.(Cit... |
| S0370 | SamSam | Malware | [SamSam](https://attack.mitre.org/software/S0370) has used garbage code to pad some of its malware components.(Citation: Sophos SamSam Apr 2018) |
| S9020 | LODEINFO | Malware | [LODEINFO](https://attack.mitre.org/software/S9020) has inserted junk code to obstruct code analysis.(Citation: ITOCHU LODEINFO JAN 2024) |
| S0477 | Goopy | Malware | [Goopy](https://attack.mitre.org/software/S0477)'s decrypter have been inflated with junk code in between legitimate API functions, and also included ... |
| S0612 | WastedLocker | Malware | [WastedLocker](https://attack.mitre.org/software/S0612) contains junk code to increase its entropy and hide the actual code.(Citation: NCC Group Waste... |
| S0137 | CORESHELL | Malware | [CORESHELL](https://attack.mitre.org/software/S0137) contains unused machine instructions in a likely attempt to hinder analysis.(Citation: FireEye AP... |
| S0182 | FinFisher | Malware | [FinFisher](https://attack.mitre.org/software/S0182) contains junk code in its functions in an effort to confuse disassembly programs.(Citation: FinFi... |
| S9027 | ANELLDR | Malware | [ANELLDR](https://attack.mitre.org/software/S9027) can use junk code for payload obfuscation.(Citation: Trend Micro Earth Kasha Anel NOV 2024) |
| S0666 | Gelsemium | Malware | [Gelsemium](https://attack.mitre.org/software/S0666) can use junk code to hide functions and evade detection.(Citation: ESET Gelsemium June 2021) |
| S0223 | POWERSTATS | Malware | [POWERSTATS](https://attack.mitre.org/software/S0223) has used useless code blocks to counter analysis.(Citation: TrendMicro POWERSTATS V3 June 2019) |
| S0512 | FatDuke | Malware | [FatDuke](https://attack.mitre.org/software/S0512) has been packed with junk code and strings.(Citation: ESET Dukes October 2019) |
| S9019 | PureCrypter | Malware | [PureCrypter](https://attack.mitre.org/software/S9019) can insert junk code to avoid detection.(Citation: Zscaler PureCrypter JUN 2022) |
| S9025 | NOOPLDR | Malware | [NOOPLDR](https://attack.mitre.org/software/S9025) can insert junk code to obfuscate malicious payloads.(Citation: Trend Micro Earth Kasha NOV 2024)(C... |
References
- ReasonLabs. (n.d.). What is Dead code insertion?. Retrieved March 4, 2025.
- What is Junk Code?. (n.d.). ReasonLabs. Retrieved April 4, 2025.
Frequently Asked Questions
What is T1027.016 (Junk Code Insertion)?
T1027.016 is a MITRE ATT&CK technique named 'Junk Code Insertion'. It belongs to the Stealth tactic(s). Adversaries may use junk code / dead code to obfuscate a malware’s functionality. Junk code is code that either does not execute, or if it does execute, does not change the functionality of the code....
How can T1027.016 be detected?
Detection of T1027.016 (Junk Code Insertion) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1027.016?
There are 1 documented mitigations for T1027.016. Key mitigations include: Antivirus/Antimalware.
Which threat groups use T1027.016?
Known threat groups using T1027.016 include: FIN7, APT-C-36, Gamaredon Group, Kimsuky, APT32, Mustang Panda.