Description
Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
One such example is the use of certutil to decode a remote access tool portable executable file that has been hidden inside a certificate file.(Citation: Malwarebytes Targeted Attack against Saudi Arabia) Another example is using the Windows copy /b or type command to reassemble binary fragments into a malicious payload.(Citation: Carbon Black Obfuscation Sept 2016)(Citation: Sentinel One Tainted Love 2023)
Sometimes a user's action may be required to open it for deobfuscation or decryption as part of User Execution. The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary.(Citation: Volexity PowerDuke November 2016)
Platforms
Threat Groups (38)
| ID | Group | Context |
|---|---|---|
| G0060 | BRONZE BUTLER | [BRONZE BUTLER](https://attack.mitre.org/groups/G0060) downloads encoded payloads and decodes them on the victim.(Citation: Secureworks BRONZE BUTLER ... |
| G0010 | Turla | [Turla](https://attack.mitre.org/groups/G0010) has used a custom decryption routine, which pulls key and salt values from other artifacts such as a WM... |
| G0087 | APT39 | [APT39](https://attack.mitre.org/groups/G0087) has used malware to decrypt encrypted CAB files.(Citation: FBI FLASH APT39 September 2020) |
| G0090 | WIRTE | [WIRTE](https://attack.mitre.org/groups/G0090) has used Base64 to decode malicious VBS script.(Citation: Lab52 WIRTE Apr 2019) |
| G0078 | Gorgon Group | [Gorgon Group](https://attack.mitre.org/groups/G0078) malware can decode contents from a payload that was Base64 encoded and write the contents to a f... |
| G0094 | Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has decoded malicious VBScripts using Base64.(Citation: Talos Kimsuky Nov 2021) [Kimsuky](https://att... |
| G1036 | Moonstone Sleet | [Moonstone Sleet](https://attack.mitre.org/groups/G1036) delivered payloads using multiple rounds of obfuscation and encoding to evade defenses and an... |
| G0129 | Mustang Panda | [Mustang Panda](https://attack.mitre.org/groups/G0129) has the ability to decrypt its payload prior to execution.(Citation: Lab52 MUSTANG PANDA PUBLOA... |
| G1030 | Agrius | [Agrius](https://attack.mitre.org/groups/G1030) has deployed base64-encoded variants of [ASPXSpy](https://attack.mitre.org/software/S0073) to evade de... |
| G0004 | Ke3chang | [Ke3chang](https://attack.mitre.org/groups/G0004) has deobfuscated Base64-encoded shellcode strings prior to loading them.(Citation: Microsoft NICKEL ... |
| G0082 | APT38 | [APT38](https://attack.mitre.org/groups/G0082) has used the RC4 algorithm to decrypt configuration data. (Citation: 1 - appv) |
| G1017 | Volt Typhoon | [Volt Typhoon](https://attack.mitre.org/groups/G1017) has used Base64-encoded data to transfer payloads and commands, including deobfuscation via [cer... |
| G0021 | Molerats | [Molerats](https://attack.mitre.org/groups/G0021) decompresses ZIP files once on the victim machine.(Citation: Kaspersky MoleRATs April 2019) |
| G0012 | Darkhotel | [Darkhotel](https://attack.mitre.org/groups/G0012) has decrypted strings and imports using RC4 during execution.(Citation: Securelist Darkhotel Aug 20... |
| G1006 | Earth Lusca | [Earth Lusca](https://attack.mitre.org/groups/G1006) has used [certutil](https://attack.mitre.org/software/S0160) to decode a string into a cabinet fi... |
| G1046 | Storm-1811 | [Storm-1811](https://attack.mitre.org/groups/G1046) has distributed password-protected archives such as ZIP files during intrusions.(Citation: rapid7-... |
| G0128 | ZIRCONIUM | [ZIRCONIUM](https://attack.mitre.org/groups/G0128) has used the AES256 algorithm with a SHA1 derived key to decrypt exploit code.(Citation: Check Poin... |
| G0069 | MuddyWater | [MuddyWater](https://attack.mitre.org/groups/G0069) has decoded base64-encoded PowerShell, JavaScript, and VBScript.(Citation: FireEye MuddyWater Mar ... |
| G0049 | OilRig | A [OilRig](https://attack.mitre.org/groups/G0049) macro has run a PowerShell command to decode file contents. [OilRig](https://attack.mitre.org/groups... |
| G0047 | Gamaredon Group | [Gamaredon Group](https://attack.mitre.org/groups/G0047) tools decrypted additional payloads from the C2. [Gamaredon Group](https://attack.mitre.org/g... |
Associated Software (298)
| ID | Name | Type | Context |
|---|---|---|---|
| S9028 | PHPsert | Malware | [PHPsert](https://attack.mitre.org/software/S9028) has the ability to decode and decrypt obfuscated strings prior to execution.(Citation: sentinelone ... |
| S9024 | SPAWNCHIMERA | Malware | [SPAWNCHIMERA](https://attack.mitre.org/software/S9024) has decoded a XOR encoded private key.(Citation: JPCERT SPAWNCHIMERA Ivanti February 2025) |
| S0230 | ZeroT | Malware | [ZeroT](https://attack.mitre.org/software/S0230) shellcode decrypts and decompresses its RC4-encrypted payload.(Citation: Proofpoint ZeroT Feb 2017) |
| S0584 | AppleJeus | Malware | [AppleJeus](https://attack.mitre.org/software/S0584) has decoded files received from a C2.(Citation: CISA AppleJeus Feb 2021) |
| S1028 | Action RAT | Malware | [Action RAT](https://attack.mitre.org/software/S1028) can use Base64 to decode actor-controlled C2 server communications.(Citation: MalwareBytes SideC... |
| S0669 | KOCTOPUS | Malware | [KOCTOPUS](https://attack.mitre.org/software/S0669) has deobfuscated itself before executing its commands.(Citation: MalwareBytes LazyScripter Feb 202... |
| S1086 | Snip3 | Malware | [Snip3](https://attack.mitre.org/software/S1086) can decode its second-stage PowerShell script prior to execution.(Citation: Morphisec Snip3 May 2021) |
| S0574 | BendyBear | Malware | [BendyBear](https://attack.mitre.org/software/S0574) has decrypted function blocks using a XOR key during runtime to evade detection.(Citation: Unit42... |
| S0513 | LiteDuke | Malware | [LiteDuke](https://attack.mitre.org/software/S0513) has the ability to decrypt and decode multiple layers of obfuscation.(Citation: ESET Dukes October... |
| S0598 | P.A.S. Webshell | Malware | [P.A.S. Webshell](https://attack.mitre.org/software/S0598) can use a decryption mechanism to process a user supplied password and allow execution.(Cit... |
| S0356 | KONNI | Malware | [KONNI](https://attack.mitre.org/software/S0356) has used certutil to download and decode base64 encoded strings and has also devoted a custom section... |
| S0409 | Machete | Malware | [Machete](https://attack.mitre.org/software/S0409)’s downloaded data is decrypted using AES.(Citation: ESET Machete July 2019) |
| S0415 | BOOSTWRITE | Malware | [BOOSTWRITE](https://attack.mitre.org/software/S0415) has used a a 32-byte long multi-XOR key to decode data inside its payload.(Citation: FireEye FIN... |
| S1202 | LockBit 3.0 | Malware | The [LockBit 3.0](https://attack.mitre.org/software/S1202) payload is decrypted at runtime.(Citation: Sentinel Labs LockBit 3.0 JUL 2022)(Citation: Jo... |
| S1078 | RotaJakiro | Malware | [RotaJakiro](https://attack.mitre.org/software/S1078) uses the AES algorithm, bit shifts in a function called `rotate`, and an XOR cipher to decrypt r... |
| S0284 | More_eggs | Malware | [More_eggs](https://attack.mitre.org/software/S0284) will decode malware components that are then dropped to the system.(Citation: Security Intelligen... |
| S1066 | DarkTortilla | Malware | [DarkTortilla](https://attack.mitre.org/software/S1066) can decrypt its payload and associated configuration elements using the Rijndael cipher.(Citat... |
| S0666 | Gelsemium | Malware | [Gelsemium](https://attack.mitre.org/software/S0666) can decompress and decrypt DLLs and shellcode.(Citation: ESET Gelsemium June 2021) |
| S9026 | ROAMINGHOUSE | Malware | [ROAMINGHOUSE](https://attack.mitre.org/software/S9026) can decode and drop a malicious ZIP file prior to execution.(Citation: Trend Micro Earth Kasha... |
| S0226 | Smoke Loader | Malware | [Smoke Loader](https://attack.mitre.org/software/S0226) deobfuscates its code.(Citation: Talos Smoke Loader July 2018) |
References
- Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.
- Aleksandar Milenkoski, Juan Andres Guerrero-Saade, and Joey Chen. (2023, March 23). Operation Tainted Love | Chinese APTs Target Telcos in New Attacks. Retrieved March 18, 2025.
- Malwarebytes Labs. (2017, March 27). New targeted attack against Saudi Arabia Government. Retrieved July 3, 2017.
- Tedesco, B. (2016, September 23). Security Alert Summary. Retrieved February 12, 2018.
Frequently Asked Questions
What is T1140 (Deobfuscate/Decode Files or Information)?
T1140 is a MITRE ATT&CK technique named 'Deobfuscate/Decode Files or Information'. It belongs to the Stealth tactic(s). Adversaries may use [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027) to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deob...
How can T1140 be detected?
Detection of T1140 (Deobfuscate/Decode Files or Information) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1140?
Follow defense-in-depth principles including network segmentation, least privilege access, security monitoring, and regular patching to reduce the risk of this technique.
Which threat groups use T1140?
Known threat groups using T1140 include: BRONZE BUTLER, Turla, APT39, WIRTE, Gorgon Group, Kimsuky, Moonstone Sleet, Mustang Panda.