Description
Adversaries may reflectively load code into a process in order to conceal the execution of malicious payloads. Reflective loading involves allocating then executing payloads directly within the memory of the process, vice creating a thread or process backed by a file path on disk (e.g., Shared Modules).
Reflectively loaded payloads may be compiled binaries, anonymous files (only present in RAM), or just snubs of fileless executable code (ex: position-independent shellcode).(Citation: Introducing Donut)(Citation: S1 Custom Shellcode Tool)(Citation: Stuart ELF Memory)(Citation: 00sec Droppers)(Citation: Mandiant BYOL) For example, the Assembly.Load() method executed by PowerShell may be abused to load raw code into the running process.(Citation: Microsoft AssemblyLoad)
Reflective code injection is very similar to Process Injection except that the “injection” loads code into the processes’ own memory instead of that of a separate process. Reflective loading may evade process-based detections since the execution of the arbitrary code may be masked within a legitimate or otherwise benign process. Reflectively loading payloads directly into memory may also avoid creating files or other artifacts on disk, while also enabling malware to keep these payloads encrypted (or otherwise obfuscated) until execution.(Citation: Stuart ELF Memory)(Citation: 00sec Droppers)(Citation: Intezer ACBackdoor)(Citation: S1 Old Rat New Tricks)
Platforms
Threat Groups (4)
| ID | Group | Context |
|---|---|---|
| G0046 | FIN7 | [FIN7](https://attack.mitre.org/groups/G0046) has loaded a .NET assembly into the currect execution context via `Reflection.Assembly::Load`.(Citation:... |
| G0032 | Lazarus Group | [Lazarus Group](https://attack.mitre.org/groups/G0032) has changed memory protection permissions then overwritten in memory DLL function code with she... |
| G0094 | Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has used the Invoke-Mimikatz PowerShell script to reflectively load a Mimikatz credential stealing DL... |
| G0047 | Gamaredon Group | [Gamaredon Group](https://attack.mitre.org/groups/G0047) has used an obfuscated PowerShell script that used `System.Reflection.Assembly` to gather and... |
Associated Software (26)
| ID | Name | Type | Context |
|---|---|---|---|
| S1081 | BADHATCH | Malware | [BADHATCH](https://attack.mitre.org/software/S1081) can copy a large byte array of 64-bit shellcode into process memory and execute it with a call to ... |
| S0689 | WhisperGate | Malware | [WhisperGate](https://attack.mitre.org/software/S0689)'s downloader can reverse its third stage file bytes and reflectively load the file as a .NET as... |
| S0022 | Uroburos | Malware | [Uroburos](https://attack.mitre.org/software/S0022) has the ability to load new modules directly into memory using its `Load Modules Mem` command.(Cit... |
| S0692 | SILENTTRINITY | Tool | [SILENTTRINITY](https://attack.mitre.org/software/S0692) can run a .NET executable within the memory of a sacrificial process by loading the CLR.(Cita... |
| S0194 | PowerSploit | Tool | [PowerSploit](https://attack.mitre.org/software/S0194) reflectively loads a Windows PE file into a process.(Citation: GitHub PowerSploit May 2012)(Cit... |
| S0447 | Lokibot | Malware | [Lokibot](https://attack.mitre.org/software/S0447) has reflectively loaded the decoded DLL into memory.(Citation: Talos Lokibot Jan 2021) |
| S0666 | Gelsemium | Malware | [Gelsemium](https://attack.mitre.org/software/S0666) can use custom shellcode to map embedded DLLs into memory.(Citation: ESET Gelsemium June 2021) |
| S0013 | PlugX | Malware | [PlugX](https://attack.mitre.org/software/S0013) has loaded its payload into memory.(Citation: Eset PlugX Korplug Mustang Panda March 2022)(Citation: ... |
| S1059 | metaMain | Malware | [metaMain](https://attack.mitre.org/software/S1059) has reflectively loaded a DLL to read, decrypt, and load an orchestrator file.(Citation: SentinelL... |
| S0625 | Cuba | Malware | [Cuba](https://attack.mitre.org/software/S0625) loaded the payload into memory using PowerShell.(Citation: McAfee Cuba April 2021) |
| S9033 | Fooder | Malware | [Fooder](https://attack.mitre.org/software/S9033) has reflectively loaded a payload into memory.(Citation: ESET_MuddyWater_Dec2025) |
| S0154 | Cobalt Strike | Malware | [Cobalt Strike](https://attack.mitre.org/software/S0154)'s <code>execute-assembly</code> command can run a .NET executable within the memory of a sacr... |
| S9001 | SystemBC | Malware | [SystemBC](https://attack.mitre.org/software/S9001) has downloaded a text file into memory and set the area of memory via the VirtualProtect call. The... |
| S1063 | Brute Ratel C4 | Tool | [Brute Ratel C4](https://attack.mitre.org/software/S1063) has used reflective loading to execute malicious DLLs.(Citation: MDSec Brute Ratel August 20... |
| S1022 | IceApple | Malware | [IceApple](https://attack.mitre.org/software/S1022) can use reflective code loading to load .NET assemblies into `MSExchangeOWAAppPool` on targeted Ex... |
| S1145 | Pikabot | Malware | [Pikabot](https://attack.mitre.org/software/S1145) reflectively loads stored, previously encrypted components of the PE file into memory of the curren... |
| S9032 | MuddyViper | Malware | [MuddyViper](https://attack.mitre.org/software/S9032) has reflectively loaded the decrypted HackBrowserData tool in a new thread.(Citation: ESET_Muddy... |
| S0695 | Donut | Tool | [Donut](https://attack.mitre.org/software/S0695) can generate code modules that enable in-memory execution of VBScript, JScript, EXE, DLL, and dotNET ... |
| S0367 | Emotet | Malware | [Emotet](https://attack.mitre.org/software/S0367) has reflectively loaded payloads into memory.(Citation: Binary Defense Emotes Wi-Fi Spreader) |
| S1213 | Lumma Stealer | Malware | [Lumma Stealer](https://attack.mitre.org/software/S1213) has used reflective loading techniques to load content into memory during execution.(Citation... |
References
- 0x00pico. (2017, September 25). Super-Stealthy Droppers. Retrieved October 4, 2021.
- Bunce, D. (2019, October 31). Building A Custom Tool For Shellcode Analysis. Retrieved October 4, 2021.
- Kirk, N. (2018, June 18). Bring Your Own Land (BYOL) – A Novel Red Teaming Technique. Retrieved October 4, 2021.
- Landry, J. (2016, April 21). Teaching an old RAT new tricks. Retrieved October 4, 2021.
- Microsoft. (n.d.). Assembly.Load Method. Retrieved February 9, 2024.
- Sanmillan, I. (2019, November 18). ACBackdoor: Analysis of a New Multiplatform Backdoor. Retrieved October 4, 2021.
- Stuart. (2018, March 31). In-Memory-Only ELF Execution (Without tmpfs). Retrieved October 4, 2021.
- The Wover. (2019, May 9). Donut - Injecting .NET Assemblies as Shellcode. Retrieved October 4, 2021.
Frequently Asked Questions
What is T1620 (Reflective Code Loading)?
T1620 is a MITRE ATT&CK technique named 'Reflective Code Loading'. It belongs to the Stealth tactic(s). Adversaries may reflectively load code into a process in order to conceal the execution of malicious payloads. Reflective loading involves allocating then executing payloads directly within the memory...
How can T1620 be detected?
Detection of T1620 (Reflective Code Loading) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1620?
Follow defense-in-depth principles including network segmentation, least privilege access, security monitoring, and regular patching to reduce the risk of this technique.
Which threat groups use T1620?
Known threat groups using T1620 include: FIN7, Lazarus Group, Kimsuky, Gamaredon Group.