Description
Adversaries may develop malware and malware components that can be used during targeting. Building malicious software can include the development of payloads, droppers, post-compromise tools, backdoors (including backdoored images), packers, C2 protocols, and the creation of infected removable media. Adversaries may develop malware to support their operations, creating a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.(Citation: Mandiant APT1)(Citation: Kaspersky Sofacy)(Citation: ActiveMalwareEnergy)(Citation: FBI Flash FIN7 USB)
During malware development, adversaries may intentionally include indicators aligned with other known actors in order to mislead attribution by defenders.(Citation: Olympic Destroyer)(Citation: Risky Bulletin Threat actor impersonates FSB APT)(Citation: GamaCopy organization)
As with legitimate development efforts, different skill sets may be required for developing malware. The skills needed may be located in-house, or may need to be contracted out. Use of a contractor may be considered an extension of that adversary's malware development capabilities, provided the adversary plays a role in shaping requirements and maintains a degree of exclusivity to the malware.
Some aspects of malware development, such as C2 protocol development, may require adversaries to obtain additional infrastructure. For example, malware developed that will communicate with Twitter for C2, may require use of Web Services.(Citation: FireEye APT29)
Platforms
Mitigations (1)
Pre-compromiseM1056
This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.
Threat Groups (25)
| ID | Group | Context |
|---|---|---|
| G0094 | Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has developed its own unique malware such as MailFetch.py for use in operations.(Citation: KISA Opera... |
| G1016 | FIN13 | [FIN13](https://attack.mitre.org/groups/G1016) has utilized custom malware to maintain persistence in a compromised environment.(Citation: Mandiant FI... |
| G1036 | Moonstone Sleet | [Moonstone Sleet](https://attack.mitre.org/groups/G1036) has developed custom malware, including a malware delivery mechanism masquerading as a legiti... |
| G0119 | Indrik Spider | [Indrik Spider](https://attack.mitre.org/groups/G0119) has developed malware for their operations, including ransomware such as [BitPaymer](https://at... |
| G0032 | Lazarus Group | [Lazarus Group](https://attack.mitre.org/groups/G0032) has developed custom malware for use in their operations.(Citation: CISA AppleJeus Feb 2021)(Ci... |
| G1052 | Contagious Interview | [Contagious Interview](https://attack.mitre.org/groups/G1052) has developed malware that utilizes Qt cross-platform framework to include [BeaverTail](... |
| G0049 | OilRig | [OilRig](https://attack.mitre.org/groups/G0049) actively developed and used a series of downloaders during 2022.(Citation: ESET OilRig Downloaders DEC... |
| G1048 | UNC3886 | [UNC3886](https://attack.mitre.org/groups/G1048) has deployed custom malware families on Fortinet and VMware systems.(Citation: Mandiant Fortinet Zero... |
| G1014 | LuminousMoth | [LuminousMoth](https://attack.mitre.org/groups/G1014) has used unique malware for information theft and exfiltration.(Citation: Kaspersky LuminousMoth... |
| G1054 | MirrorFace | [MirrorFace](https://attack.mitre.org/groups/G1054) has created and continued to develop custom strains of malware including [LODEINFO](https://attack... |
| G0034 | Sandworm Team | [Sandworm Team](https://attack.mitre.org/groups/G0034) has developed malware for its operations, including malicious mobile applications and destructi... |
| G1045 | Salt Typhoon | [Salt Typhoon](https://attack.mitre.org/groups/G1045) has used custom tooling including [JumbledPath](https://attack.mitre.org/software/S1206).(Citati... |
| G0016 | APT29 | [APT29](https://attack.mitre.org/groups/G0016) has used unique malware in many of their operations.(Citation: F-Secure The Dukes)(Citation: Mandiant N... |
| G1040 | Play | [Play](https://attack.mitre.org/groups/G1040) developed and employ [Playcrypt](https://attack.mitre.org/software/S1162) ransomware.(Citation: Trend Mi... |
| G1007 | Aoqin Dragon | [Aoqin Dragon](https://attack.mitre.org/groups/G1007) has used custom malware, including [Mongall](https://attack.mitre.org/software/S1026) and [Heyok... |
| G0099 | APT-C-36 | [APT-C-36](https://attack.mitre.org/groups/G0099) has customized existing malware with new capabilities including [njRAT](https://attack.mitre.org/sof... |
| G1039 | RedCurl | [RedCurl](https://attack.mitre.org/groups/G1039) has created its own tools to use during operations.(Citation: therecord_redcurl) |
| G0003 | Cleaver | [Cleaver](https://attack.mitre.org/groups/G0003) has created customized tools and payloads for functions including ARP poisoning, encryption, credenti... |
| G1009 | Moses Staff | [Moses Staff](https://attack.mitre.org/groups/G1009) has built malware, such as [DCSrv](https://attack.mitre.org/software/S1033) and [PyDCrypt](https:... |
| G0010 | Turla | [Turla](https://attack.mitre.org/groups/G0010) has developed its own unique malware for use in operations.(Citation: Recorded Future Turla Infra 2020) |
References
- Catalin Cimpanu. (2025, January 22). Risky Bulletin: Threat actor impersonates FSB APT for months to target Russian orgs. Retrieved June 14, 2025.
- Dan Goodin. (2014, June 30). Active malware operation let attackers sabotage US energy industry. Retrieved March 9, 2017.
- FireEye Labs. (2015, July). HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group. Retrieved November 17, 2024.
- Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015.
- Knownsec 404 Advanced Threat Intelligence team. (2025, January 21). Love and hate under war: The GamaCopy organization, which imitates the Russian Gamaredon, uses military — related bait to launch attacks on Russia. Retrieved June 14, 2025.
- Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016.
- Paul Rascagneres, Martin Lee. (2018, February 26). Who Wasn’t Responsible for Olympic Destroyer?. Retrieved June 14, 2025.
- The Record. (2022, January 7). FBI: FIN7 hackers target US companies with BadUSB devices to install ransomware. Retrieved January 14, 2022.
Frequently Asked Questions
What is T1587.001 (Malware)?
T1587.001 is a MITRE ATT&CK technique named 'Malware'. It belongs to the Resource Development tactic(s). Adversaries may develop malware and malware components that can be used during targeting. Building malicious software can include the development of payloads, droppers, post-compromise tools, backdoor...
How can T1587.001 be detected?
Detection of T1587.001 (Malware) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1587.001?
There are 1 documented mitigations for T1587.001. Key mitigations include: Pre-compromise.
Which threat groups use T1587.001?
Known threat groups using T1587.001 include: Kimsuky, FIN13, Moonstone Sleet, Indrik Spider, Lazarus Group, Contagious Interview, OilRig, UNC3886.