T1027.008: Stripped Payloads
Adversaries may attempt to make a payload difficult to analyze by removing symbols, strings, and other human readable information. Scripts and executables may contain variables names and other strings that help developers document code functionality. Symbols are often created by an operating system’s `linker` when executable payloads are compiled. Reverse engineers use these symbols and strings to analyze code and to identify functionality in payloads.[1][2]
Adversaries may use stripped payloads in order to make malware analysis more difficult. For example, compilers and other tools may provide features to remove or obfuscate strings and symbols. Adversaries have also used stripped payload formats, such as run-only AppleScripts, a compiled and stripped version of AppleScript, to evade detection and analysis. The lack of human-readable information may directly hinder detection and analysis of payloads.[3]
Analyst context for executives and security teams
Stripped Payloads matter because they slow down malware triage and can weaken detections that depend on readable strings, symbols, or script contents. For leaders, the issue is not just “obfuscation”; it is whether the organization can still make fast incident decisions when a suspicious binary or script is intentionally hard to inspect across Linux, macOS, Windows, or network-device environments.
Executive priority
Prioritize this as an incident-response and SOC-readiness concern. If analysts cannot quickly recover meaning from stripped binaries or run-only scripts, containment, scoping, and audit-ready evidence can be delayed. Security leaders should ask whether detection engineering relies too heavily on static strings, whether malware-analysis workflows can handle stripped payloads, and whether macOS-specific script formats such as run-only AppleScripts are covered where Macs are in scope.
Technical view
This is a stealth sub-technique of Obfuscated Files or Information. The supplied ATT&CK object has no official detection text, but it is related to DET0019, a detection strategy for stripped payloads across platforms. SOC and IR teams should validate whether file-analysis pipelines identify binaries or scripts with missing symbols, reduced string content, or compiled/run-only script formats, then correlate those findings with execution, file creation, and process behavior. Relationship context highlights macOS relevance through macOS.OSAMiner and Cuckoo Stealer, but the technique’s listed platforms also include Linux, Windows, and network devices.
Likely telemetry
- File metadata and file-type identification for executables, scripts, and payload artifacts
- Static-analysis results showing absent or reduced symbols, strings, or human-readable content
- Endpoint process creation and script execution telemetry
- macOS AppleScript or run-only AppleScript execution and file evidence where available
- Binary format details such as Mach-O, ELF, or other executable characteristics relevant to the local platform
Detection direction
- Do not depend only on string or symbol signatures; validate behavior-based detections around execution, persistence, file writes, and unusual script or binary launches.
- Tune static-analysis alerts so stripped binaries are treated as suspicious context, not automatic maliciousness; legitimate production software may also be stripped.
- For macOS, validate visibility into compiled or run-only AppleScripts and universal Mach-O binaries where applicable.
- Ensure suspicious stripped artifacts are preserved for IR and reverse-engineering triage rather than discarded after hash or reputation checks.
- Use the parent technique context, Obfuscated Files or Information, to correlate stripping with other obfuscation indicators such as encoding, compression, encryption, or archive use.
Mitigation priorities
- Reduce analysis delay by standardizing suspicious-file collection, sandboxing, and reverse-engineering escalation paths.
- Strengthen endpoint and script-execution controls so detection does not rely solely on readable payload content.
- Maintain behavioral analytics for execution and file activity across Linux, macOS, Windows, and monitored network devices.
- For macOS fleets, include AppleScript visibility and controls in hardening and IR playbooks where business use permits.
- Document detection limitations and sample-handling procedures as compliance evidence for malware response readiness.
Analyst notes and limits
The practical value of this technique is in exposing gaps in static analysis, triage speed, and script/binary visibility. The relationship data supports macOS-specific concern through macOS.OSAMiner and Cuckoo Stealer, while the technique platform list supports broader validation across Linux, macOS, network devices, and Windows.
The official ATT&CK detection field is not provided, and the supplied relationship to DET0019 does not include detection logic details. No active exploitation, customer exposure, attribution, or guaranteed detection coverage should be inferred from this object alone. Local telemetry and platform inventory are required to determine actual risk and coverage.
Stripped Payloads
Adversaries may attempt to make a payload difficult to analyze by removing symbols, strings, and other human readable information. Scripts and executables may contain variables names and other strings that help developers document code functionality. Symbols are often created by an operating system’s `linker` when executable payloads are compiled. Reverse engineers use these symbols and strings to analyze code and to identify functionality in payloads.[1][2]
Adversaries may use stripped payloads in order to make malware analysis more difficult. For example, compilers and other tools may provide features to remove or obfuscate strings and symbols. Adversaries have also used stripped payload formats, such as run-only AppleScripts, a compiled and stripped version of AppleScript, to evade detection and analysis. The lack of human-readable information may directly hinder detection and analysis of payloads.[3]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1027 | Obfuscated Files or Information | This object subtechnique of Obfuscated Files or Information. |
Groups, software, and campaigns
S1048: macOS.OSAMiner
macOS.OSAMiner is a Monero mining trojan that was first observed in 2018; security researchers assessed macOS.OSAMiner may have been circulating since at least 2015. macOS.OSAMiner is known for embedding one run-only AppleScript into another, which helped the malware evade full analysis for five years due to a lack of Apple event (AEVT) analysis tools.[1][2]
S1153: Cuckoo Stealer
Cuckoo Stealer is a macOS malware with characteristics of spyware and an infostealer that has been in use since at least 2024. Cuckoo Stealer is a universal Mach-O binary that can run on Intel or ARM-based Macs and has been spread through trojanized versions of various potentially unwanted programs or PUP's such as converters, cleaners, and uninstallers.[1][2]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Mandiant golang stripped binaries explanation
STEPHEN ECKELS. (2022, February 28). Ready, Set, Go — Golang Internals and Symbol Recovery. Retrieved September 29, 2022.
Open source URL -
[2]
intezer stripped binaries elf files 2018
Ignacio Sanmillan. (2018, February 7). Executable and Linkable Format 101. Part 2: Symbols. Retrieved September 29, 2022.
Open source URL -
[3]
SentinelLabs reversing run-only applescripts 2021
Phil Stokes. (2021, January 11). FADE DEAD | Adventures in Reversing Malicious Run-Only AppleScripts. Retrieved September 29, 2022.
Open source URL -
[4]
mitre-attack T1027.008Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.