Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0415: BOOSTWRITE

BOOSTWRITE is a loader crafted to be launched via abuse of the DLL search order of applications used by FIN7.[1]

EnterpriseS0415MalwareObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

BOOSTWRITE matters because it represents a Windows loader designed to run through abused DLL search order behavior rather than obvious direct execution. For security leaders, the practical issue is whether trusted or business-critical applications can be used as launch points for malicious shared modules, especially where endpoint logging, DLL load visibility, and code-signing validation are incomplete.

Executive priority

Prioritize this as a control-validation and incident-readiness issue for Windows environments. The supplied ATT&CK context ties BOOSTWRITE to FIN7 and to techniques involving DLL abuse, shared module execution, encoded or encrypted files, deobfuscation, and code signing. Leaders should ask whether the organization can prove which DLLs are loaded by sensitive applications, whether unsigned or unexpectedly signed binaries are reviewed, and whether incident responders can quickly distinguish legitimate application dependencies from suspicious side-loaded modules.

Technical view

BOOSTWRITE is described as a loader crafted to be launched through abuse of application DLL search order on Windows. SOC and IR teams should validate visibility around DLL load events, process ancestry, module paths, file creation/modification near application directories, and code-signing metadata. Detection work should be mapped to the related techniques: T1574.001 for DLL abuse, T1129 for shared module execution, T1027.013 for encrypted or encoded files, T1140 for decoding or deobfuscation behavior, and T1553.002 for code-signing abuse. Because ATT&CK provides no official detection text for this software entry, local baselining of normal application module loading is essential.

Likely telemetry

  • Windows endpoint process execution telemetry
  • DLL/module load telemetry from protected or business-critical applications
  • File system events for DLLs or related files placed in application directories or search-path locations
  • Code-signing certificate, signer, and signature-validation metadata
  • Endpoint detection alerts related to DLL side-loading, search order hijacking, encoded files, or deobfuscation

Detection direction

  • Baseline normal DLL load paths for high-value Windows applications and alert on unexpected modules loaded from writable or unusual directories.
  • Correlate suspicious DLL loads with recent file creation, modification, or replacement activity in application-adjacent paths.
  • Review code-signing metadata carefully; signed code should not be treated as automatically trusted because the related ATT&CK context includes code-signing abuse.
  • Look for combinations rather than single weak signals: unusual module load plus encoded/encrypted file content, deobfuscation behavior, or abnormal process lineage is more useful than filename-based matching alone.
  • Account for false positives from legitimate software updates, plugins, and application dependencies by maintaining allowlists based on verified paths, hashes, publishers, and change-management records.

Mitigation priorities

  • Harden Windows application directories and DLL search paths so standard users and service accounts cannot write to locations used by trusted applications.
  • Enforce least privilege and application control where feasible to restrict unauthorized DLLs and loaders.
  • Require validation of code-signing status, signer reputation, and expected publisher relationships rather than relying only on the presence of a signature.
  • Improve endpoint logging and retention for process, module-load, file-write, and signature metadata so investigations can reconstruct loader activity.
  • Exercise incident response playbooks for suspected DLL side-loading or search order hijacking, including collection of loaded modules and application dependency evidence.
Analyst notes and limits

The strongest decision value from this object is not a BOOSTWRITE-specific signature but the control question it raises: can the organization detect and investigate malicious shared modules loaded by otherwise legitimate Windows applications? The FIN7 relationship increases relevance for sectors named in the supplied group description, but local exposure depends on the organization’s application estate, endpoint controls, and telemetry maturity.

ATT&CK does not provide official detection guidance, tactics are not specified on the software object, and the supplied description is brief. This summary uses only the provided ATT&CK fields, external reference, and relationships; it does not assert active exploitation, current targeting, customer exposure, or guaranteed detection.

Official MITRE ATT&CK definition

BOOSTWRITE

BOOSTWRITE is a loader crafted to be launched via abuse of the DLL search order of applications used by FIN7.[1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

5 rows
Domain ID Name Relationship / procedure
Enterprise T1140 Deobfuscate/Decode Files or Information

BOOSTWRITE has used a a 32-byte long multi-XOR key to decode data inside its payload.CitationFireEye FIN7 Oct 2019
Enterprise T1027.013 Encrypted/Encoded File Sub-technique

BOOSTWRITE has encoded its payloads using a ChaCha stream cipher with a 256-bit key and 64-bit Initialization vector (IV) to evade detection.CitationFireEye FIN7 Oct 2019
Enterprise T1553.002 Code Signing Sub-technique

BOOSTWRITE has been signed by a valid CA.CitationFireEye FIN7 Oct 2019
Enterprise T1129 Shared Modules

BOOSTWRITE has used the DWriteCreateFactory() function to load additional modules.CitationFireEye FIN7 Oct 2019
Enterprise T1574.001 DLL Sub-technique

BOOSTWRITE has exploited the loading of the legitimate Dwrite.dll file by actually loading the gdi library, which then loads the gdiplus library and ultimately loads the local Dwrite dll.CitationFireEye FIN7 Oct 2019
Associated objects

Groups, software, and campaigns

Group Enterprise

G0046: FIN7

FIN7 is a financially-motivated threat group that has been active since 2013. FIN7 has targeted the retail, restaurant, hospitality, software, consulting, financial services, medical equipment, cloud services, media, food and beverage, transportation, pharmaceutical, and utilities industries in the United States. A portion of FIN7 was operated out of a front company called Combi Security and often used point-of-sale malware for targeting efforts. Since 2020, FIN7 shifted operations to big game hunting (BGH), including use of REvil ransomware and their own Ransomware-as-a-Service (RaaS), Darkside. FIN7 may be linked to the Carbanak Group, but multiple threat groups have been observed using Carbanak, leading these groups to be tracked separately.[1][2][3][4][5][6][7]

Relationship explorer

All related ATT&CK context

uses · Technique T1140: Deobfuscate/Decode Files or Information Enterprise uses · Technique T1027.013: Encrypted/Encoded File Enterprise uses · Technique T1553.002: Code Signing Enterprise uses · Technique T1129: Shared Modules Enterprise uses · Group G0046: FIN7 Enterprise uses · Technique T1574.001: DLL Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
e34c07d374139e41...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle e34c07d37413…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    FireEye FIN7 Oct 2019

    Carr, N, et all. (2019, October 10). Mahalo FIN7: Responding to the Criminal Operators’ New Tools and Techniques. Retrieved October 11, 2019.

    Open source URL
  2. [2]
    mitre-attack S0415
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use