Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1027.004: Compile After Delivery

Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as ilasm.exe[1], csc.exe, or GCC/MinGW.[2]

Source code payloads may also be encrypted, encoded, and/or embedded within other files, such as those delivered as a Phishing. Payloads may also be delivered in formats unrecognizable and inherently benign to the native OS (ex: EXEs on macOS/Linux) before later being (re)compiled into a proper executable binary with a bundled compiler and execution framework.[3]

EnterpriseT1027.004Sub-techniqueObject v2.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Compile After Delivery matters because it shifts suspicious content from an obvious executable into source code or another benign-looking form until it is compiled on the victim system. For leaders, the practical issue is whether security controls can see the transformation from text/source material into an executable across Windows, Linux, and macOS, rather than only scanning files at delivery time.

Executive priority

Prioritize this where endpoints or servers commonly have compilers, developer tooling, scripting frameworks, or permissive execution controls. The business risk is stealth: payloads may bypass controls focused on binaries and only become detectable at compile time. Leaders should ask whether SOC coverage includes compiler execution, source-to-binary creation, and unusual use of native utilities such as csc.exe, ilasm.exe, GCC, or MinGW, especially on systems where compilation is not expected.

Technical view

This is an enterprise ATT&CK stealth sub-technique of T1027 Obfuscated Files or Information for Linux, macOS, and Windows. MITRE describes adversaries delivering uncompiled code that must be compiled before execution, including use of native utilities such as ilasm.exe, csc.exe, GCC, or MinGW. The relationship context includes DET0501, a detection strategy focused on source-code-to-executable transformation, and ATT&CK maps multiple groups and software families to this behavior. SOC and IR teams should validate whether they can correlate source-like file delivery, compiler process execution, command-line context, parent-child process relationships, and creation of new executable artifacts.

Likely telemetry

  • Process creation events for compiler utilities such as csc.exe, ilasm.exe, GCC, and MinGW where present
  • Command-line arguments and working directories for compiler executions
  • Parent-child process relationships showing what launched the compiler
  • File creation and modification events for source-code-like files and newly created executables
  • Endpoint security or EDR telemetry from Windows, Linux, and macOS systems

Detection direction

  • Baseline legitimate compiler use by role and asset type; developer workstations and build servers will differ from ordinary user endpoints and servers.
  • Alert on compiler execution from unusual parents, user profiles, temporary directories, downloaded locations, or document/script-driven chains where local policy says compilation is not expected.
  • Correlate creation of text/source files with subsequent compiler execution and creation of executable binaries rather than relying on static detection of delivered files.
  • Tune carefully for false positives in engineering, DevOps, security testing, and software build environments.
  • Use the DET0501 relationship as direction to validate source-code-to-executable transformation coverage, while recognizing that the supplied ATT&CK object does not include detailed detection logic.

Mitigation priorities

  • Inventory where compilers and build toolchains are legitimately required across Windows, Linux, and macOS.
  • Restrict or remove compiler utilities from systems that do not need them, where operationally feasible.
  • Apply application control or execution policy to limit unauthorized compiler and newly built binary execution.
  • Ensure email, web, and endpoint controls inspect or log source-code-like attachments, embedded code, encoded content, and post-delivery execution chains where supported.
  • Maintain SOC playbooks for investigating unexpected compilation, including source file origin, compiler parent process, generated binary path, and subsequent execution.
Analyst notes and limits

This behavior is material because it can defeat programs that focus mainly on delivered executables. The strongest defensive question is not simply whether malware scanning is enabled, but whether the organization can observe and govern the moment source code becomes an executable. ATT&CK relationships show this technique is associated with several groups and software entries, including Gamaredon Group, MuddyWater, Rocke, Sea Turtle, Cardinal RAT, njRAT, Sliver, FoggyWeb, DarkWatchman, and Samurai; those mappings should guide threat-informed validation without implying current activity in any environment.

The official ATT&CK object provides no detection text and no mitigation text. The detection strategy relationship is named but not detailed in the supplied fields. Any final assessment of exposure or coverage requires local evidence about compiler presence, endpoint telemetry, logging quality, user roles, software development workflows, and execution-control policy.

Official MITRE ATT&CK definition

Compile After Delivery

Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as ilasm.exe[1], csc.exe, or GCC/MinGW.[2]

Source code payloads may also be encrypted, encoded, and/or embedded within other files, such as those delivered as a Phishing. Payloads may also be delivered in formats unrecognizable and inherently benign to the native OS (ex: EXEs on macOS/Linux) before later being (re)compiled into a proper executable binary with a bundled compiler and execution framework.[3]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

2 rows
Domain ID Name Relationship / procedure
Enterprise T1027 Obfuscated Files or Information This object subtechnique of Obfuscated Files or Information.
Enterprise T1500 Compile After Delivery Compile After Delivery revoked by this object.
Associated objects

Groups, software, and campaigns

Group Enterprise

G0047: Gamaredon Group

Gamaredon Group is a suspected Russian cyber espionage group that has targeted military, law enforcement, judiciary, non-profit, and non-governmental organizations in Ukraine since at least 2013. The name Gamaredon Group derives from a misspelling of the word "Armageddon," found in early campaigns.[1][2][3][4][5]

In November 2021, the Ukrainian government publicly attributed Gamaredon Group to Russia’s Federal Security Service (FSB) Center 18, an assessment later supported by multiple independent cybersecurity researchers. [6][5]

Group Enterprise

G0106: Rocke

Rocke is an alleged Chinese-speaking adversary whose primary objective appeared to be cryptojacking, or stealing victim system resources for the purposes of mining cryptocurrency. The name Rocke comes from the email address "rocke@live.cn" used to create the wallet which held collected cryptocurrency. Researchers have detected overlaps between Rocke and the Iron Cybercrime Group, though this attribution has not been confirmed.[1]

Group Enterprise

G0069: MuddyWater

MuddyWater is a cyber espionage group assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS).[1] Since at least 2017, MuddyWater has targeted a range of government and private organizations across sectors, including telecommunications, local government, finance, defense, and oil and natural gas organizations, in the Middle East (specifically the UAE and Saudi Arabia), Asia, Africa, Europe, and North America. MuddyWater has reused domains dating back to October 2025, and has a preference for NameCheap and Hosterdaddy Private Limited (AS136557). In late 2025 and early 2026, MuddyWater used commercial satellite internet (i.e., Starlink) for command and control (C2) communication. [2][3][4][5][6][7][8][9][10][11][12][13]

Group Enterprise

G1041: Sea Turtle

Sea Turtle is a Türkiye-linked threat actor active since at least 2017 performing espionage and service provider compromise operations against victims in Asia, Europe, and North America. Sea Turtle is notable for targeting registrars managing ccTLDs and complex DNS-based intrusions where the threat actor compromised DNS providers to hijack DNS resolution for ultimate victims, enabling Sea Turtle to spoof log in portals and other applications for credential collection.[1][2][3][4]

Tool Enterprise

S0633: Sliver

Sliver is an open source, cross-platform, red team command and control (C2) framework written in Golang. Sliver includes its own package manager, "armory," for staging and downloading additional tools and payloads to the primary C2 framework.[1][2]

WindowsLinuxmacOS
Malware Enterprise

S0661: FoggyWeb

FoggyWeb is a passive and highly-targeted backdoor capable of remotely exfiltrating sensitive information from a compromised Active Directory Federated Services (AD FS) server. It has been used by APT29 since at least early April 2021.[1]

Windows
Malware Enterprise

S0385: njRAT

njRAT is a remote access tool (RAT) that was first observed in 2012. It has been used by threat actors in the Middle East.[1]

Windows
Malware Enterprise

S0348: Cardinal RAT

Cardinal RAT is a potentially low volume remote access trojan (RAT) observed since December 2015. Cardinal RAT is notable for its unique utilization of uncompiled C# source code and the Microsoft Windows built-in csc.exe compiler.[1]

Windows
Malware Enterprise

S1099: Samurai

Samurai is a passive backdoor that has been used by ToddyCat since at least 2020. Samurai allows arbitrary C# code execution and is used with multiple modules for remote administration and lateral movement.[1]

Windows
Relationship explorer

All related ATT&CK context

uses · Group G0047: Gamaredon Group Enterprise uses · Tool S0633: Sliver Enterprise uses · Malware S0661: FoggyWeb Enterprise uses · Group G0106: Rocke Enterprise uses · Group G0069: MuddyWater Enterprise uses · Malware S0385: njRAT Enterprise subtechnique of · Technique T1027: Obfuscated Files or Information Enterprise uses · Malware S0348: Cardinal RAT Enterprise uses · Malware S1099: Samurai Enterprise detects · Detection Strategy DET0501: Detection Strategy for Compile After Delivery - Source Code to Executable Transformation Enterprise uses · Group G1041: Sea Turtle Enterprise uses · Malware S0673: DarkWatchman Enterprise revoked by · Technique T1500: Compile After Delivery Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
2.0
Created
Modified
Raw hash
4cd804ad42e3a15e...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 2.0 Current bundle 4cd804ad42e3…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    ATTACK IQ

    Federico Quattrin, Nick Desler, Tin Tam, & Matthew Rutkoske. (2023, March 16). Hiding in Plain Sight: Monitoring and Testing for Living-Off-the-Land Binaries. Retrieved July 15, 2024.

    Open source URL
  2. [2]
    ClearSky MuddyWater Nov 2018

    ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018.

    Open source URL
  3. [3]
    TrendMicro WindowsAppMac

    Trend Micro. (2019, February 11). Windows App Runs on Mac, Downloads Info Stealer and Adware. Retrieved April 25, 2019.

    Open source URL
  4. [4]
    mitre-attack T1027.004
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use