Home/ MITRE Matrix/ Defense Evasion/ T1027.002

T1027.002Software Packing

T1027.002 — Software Packing is a MITRE ATT&CK technique in the Defense Evasion tactic. Clankerusecase tracks 5 detection use cases covering it and 6 threat-intel articles citing it.

Defense Evasion

View on the matrix → Filter Detection Library MITRE official spec ↗

5Use cases

6Articles

0Sub-techniques

1Tactic

↑ Parent technique: T1027 · Obfuscated Files or Information

Use cases covering this technique (5)

[LLM] Hades on-import payload: python interpreter spawns Bun runtime download Bespoke install · alerting DSΣPDDCS [LLM] Gremlin Stealer packed sample SHA256 execution (2172dae9a5a695e00e0e4609e7db0207d8566d225f7e815fada246ae995c0f9b) Bespoke install · alerting DSΣPDDCS [LLM] Shai-Hulud npm preinstall: node spawns Bun runtime from bun-dl-* tmpdir Bespoke install · alerting DSΣPDD [LLM] Download of openclawcore-1.0.3.zip from denboss99 GitHub release (Windows OpenClaw skill payload) Bespoke delivery · alerting DSΣPDDCS [LLM] DWrite.dll Rust sideloader dropped outside Windows directory (ClawdBot redundant payload) Bespoke install · hunting DSΣPDDCS

Articles citing this technique (6)

high Miasma and Hades Are Spreading Now: Detect Them on Developer Machines with Suspicious Files art-45

high Gremlin Stealer's Evolved Tactics: Hiding in Plain Sight With Resource Files art-281

crit Shai-Hulud Worm Pivots to Multi-Cloud: intercom-client@7.0.4 Hijacked — 361,000 Weekly Downloads, AWS, GCP, and Azure Credentials Now in Sco art-333

crit EDR killers explained: Beyond the drivers art-455

crit How a Malicious Google Skill on ClawHub Tricks Users Into Installing Malware art-564

high Fake Clawdbot VS Code Extension Installs ScreenConnect RAT art-594