Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1027.014: Polymorphic Code

Adversaries may utilize polymorphic code (also known as metamorphic or mutating code) to evade detection. Polymorphic code is a type of software capable of changing its runtime footprint during code execution.[1] With each execution of the software, the code is mutated into a different version of itself that achieves the same purpose or objective as the original. This functionality enables the malware to evade traditional signature-based defenses, such as antivirus and antimalware tools.[2] Other obfuscation techniques can be used in conjunction with polymorphic code to accomplish the intended effects, including using mutation engines to conduct actions such as Software Packing, Command Obfuscation, or Encrypted/Encoded File.[3][4]

EnterpriseT1027.014Sub-techniqueObject v2.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Polymorphic Code matters because it is designed to make the same malware look different each time it runs, weakening defenses that depend mainly on static signatures or known file patterns. For leaders, the practical issue is not just malware detection; it is whether endpoint, SOC, and incident response processes can recognize suspicious behavior when the file itself keeps changing across Linux, macOS, and Windows environments.

Executive priority

Treat this as a resilience and assurance question: can the organization detect and contain malicious behavior when signature-based antivirus evidence is incomplete or unstable? Priority should go to validating behavior-based endpoint prevention, antimalware coverage, and SOC workflows that do not depend solely on matching known hashes or static indicators. This also supports audit and compliance evidence by showing that malware controls address evasive techniques, not only known malware signatures.

Technical view

ATT&CK lists Polymorphic Code as a stealth sub-technique of Obfuscated Files or Information for Linux, macOS, and Windows. The key defensive validation is whether endpoint and SOC telemetry can connect changing files or runtime footprints to consistent malicious behavior. Because official ATT&CK detection text is not provided, teams should use the related detection strategy, DET0324 Detection Strategy for Polymorphic Code Mutation and Execution, as relationship context and validate locally against endpoint behavior, process activity, file mutation, API or execution patterns, and alerts from behavior-based controls. The BendyBear software relationship shows ATT&CK-documented use in at least one Windows malware context, but it should not be generalized into current activity or attribution without separate intelligence.

Likely telemetry

  • Endpoint process execution events across Linux, macOS, and Windows
  • File creation, modification, and execution metadata, including changing hashes or runtime artifacts
  • Endpoint antimalware and EDR alerts based on heuristics or behavioral analysis
  • API call or process behavior telemetry where available from endpoint controls
  • Evidence of related obfuscation behaviors such as packing, command obfuscation, or encrypted/encoded files when collected

Detection direction

  • Do not rely only on static signatures, hashes, or known-file detections; validate behavior-based detection paths.
  • Tune detections around repeated execution of functionally similar code with changing file or runtime characteristics, while accounting for legitimate software update, build, scripting, and packaging activity.
  • Correlate endpoint behavior with file mutation indicators and related obfuscation patterns under T1027 where telemetry supports it.
  • Confirm coverage separately for Linux, macOS, and Windows rather than assuming one endpoint control produces equivalent visibility on all platforms.
  • Use DET0324 as the ATT&CK relationship-driven detection reference, but require local testing because the technique object does not provide official detection logic.

Mitigation priorities

  • Prioritize M1040 Behavior Prevention on Endpoint so controls can analyze suspicious process, file, API, and endpoint behavior rather than depend only on signatures.
  • Maintain M1049 Antivirus/Antimalware broadly across endpoints with automated updates, while recognizing that polymorphism is specifically intended to challenge traditional signature-based detection.
  • Layer antimalware with behavioral monitoring and SOC correlation to improve resilience against changing runtime footprints.
  • Review endpoint control deployment and policy consistency across Linux, macOS, and Windows assets.
  • Ensure incident response playbooks preserve changing samples, execution context, and endpoint telemetry so responders can analyze behavior even when hashes differ.
Analyst notes and limits

This take is based on the official ATT&CK technique fields, external references, and supplied relationships. The most decision-relevant points are the stealth objective, cross-platform scope, relationship to broader obfuscation behavior, and mitigations emphasizing endpoint behavior prevention and antimalware. The BendyBear relationship is useful as documented ATT&CK context but should not be used alone for attribution or current threat claims.

Official ATT&CK detection guidance for this object is not provided, and the supplied DET0324 relationship does not include detailed detection logic. Local telemetry quality, endpoint product capabilities, platform coverage, and false-positive baselines are required to determine actual detection or mitigation effectiveness.

Official MITRE ATT&CK definition

Polymorphic Code

Adversaries may utilize polymorphic code (also known as metamorphic or mutating code) to evade detection. Polymorphic code is a type of software capable of changing its runtime footprint during code execution.[1] With each execution of the software, the code is mutated into a different version of itself that achieves the same purpose or objective as the original. This functionality enables the malware to evade traditional signature-based defenses, such as antivirus and antimalware tools.[2] Other obfuscation techniques can be used in conjunction with polymorphic code to accomplish the intended effects, including using mutation engines to conduct actions such as Software Packing, Command Obfuscation, or Encrypted/Encoded File.[3][4]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1027 Obfuscated Files or Information This object subtechnique of Obfuscated Files or Information.
Associated objects

Groups, software, and campaigns

Malware Enterprise

S0574: BendyBear

BendyBear is an x64 shellcode for a stage-zero implant designed to download malware from a C2 server. First discovered in August 2020, BendyBear shares a variety of features with Waterbear, malware previously attributed to the Chinese cyber espionage group BlackTech.[1]

Windows
Relationship explorer

All related ATT&CK context

mitigates · Mitigation M1040: Behavior Prevention on Endpoint Enterprise mitigates · Mitigation M1049: Antivirus/Antimalware Enterprise detects · Detection Strategy DET0324: Detection Strategy for Polymorphic Code Mutation and Execution Enterprise subtechnique of · Technique T1027: Obfuscated Files or Information Enterprise uses · Malware S0574: BendyBear Enterprise
Mitigations

Mitigation direction

Mitigation Enterprise

M1040: Behavior Prevention on Endpoint

Behavior Prevention on Endpoint refers to the use of technologies and strategies to detect and block potentially malicious activities by analyzing the behavior of processes, files, API calls, and other endpoint events. Rather than relying solely on known signatures, this approach leverages heuristics, machine learning, and real-time monitoring to identify anomalous patterns indicative of an attack. This mitigation can be implemented through the following measures:

Suspicious Process Behavior:

- Implementation: Use Endpoint Detection and Response (EDR) tools to monitor and block processes exhibiting unusual behavior, such as privilege escalation attempts. - Use Case: An attacker uses a known vulnerability to spawn a privileged process from a user-level application. The endpoint tool detects the abnormal parent-child process relationship and blocks the action.

Unauthorized File Access:

- Implementation: Leverage Data Loss Prevention (DLP) or endpoint tools to block processes attempting to access sensitive files without proper authorization. - Use Case: A process tries to read or modify a sensitive file located in a restricted directory, such as /etc/shadow on Linux or the SAM registry hive on Windows. The endpoint tool identifies this anomalous behavior and prevents it.

Abnormal API Calls:

- Implementation: Implement runtime analysis tools to monitor API calls and block those associated with malicious activities. - Use Case: A process dynamically injects itself into another process to hijack its execution. The endpoint detects the abnormal use of APIs like `OpenProcess` and `WriteProcessMemory` and terminates the offending process.

Exploit Prevention:

- Implementation: Use behavioral exploit prevention tools to detect and block exploits attempting to gain unauthorized access. - Use Case: A buffer overflow exploit is launched against a vulnerable application. The endpoint detects the anomalous memory write operation and halts the process.

Mitigation Enterprise

M1049: Antivirus/Antimalware

Antivirus/Antimalware solutions utilize signatures, heuristics, and behavioral analysis to detect, block, and remediate malicious software, including viruses, trojans, ransomware, and spyware. These solutions continuously monitor endpoints and systems for known malicious patterns and suspicious behaviors that indicate compromise. Antivirus/Antimalware software should be deployed across all devices, with automated updates to ensure protection against the latest threats. This mitigation can be implemented through the following measures:

Signature-Based Detection:

- Implementation: Use predefined signatures to identify known malware based on unique patterns such as file hashes, byte sequences, or command-line arguments. This method is effective against known threats. - Use Case: When malware like "Emotet" is detected, its signature (such as a specific file hash) matches a known database of malicious software, triggering an alert and allowing immediate quarantine of the infected file.

Heuristic-Based Detection:

- Implementation: Deploy heuristic algorithms that analyze behavior and characteristics of files and processes to identify potential malware, even if it doesn’t match a known signature. - Use Case: If a program attempts to modify multiple critical system files or initiate suspicious network communications, heuristic analysis may flag it as potentially malicious, even if no specific malware signature is available.

Behavioral Detection (Behavior Prevention):

- Implementation: Use behavioral analysis to detect patterns of abnormal activities, such as unusual system calls, unauthorized file encryption, or attempts to escalate privileges. - Use Case: Behavioral analysis can detect ransomware attacks early by identifying behavior like mass file encryption, even before a specific ransomware signature has been identified.

Real-Time Scanning:

- Implementation: Enable real-time scanning to automatically inspect files and network traffic for signs of malware as they are accessed, downloaded, or executed. - Use Case: When a user downloads an email attachment, the antivirus solution scans the file in real-time, checking it against both signatures and heuristics to detect any malicious content before it can be opened.

Cloud-Assisted Threat Intelligence:

- Implementation: Use cloud-based threat intelligence to ensure the antivirus solution can access the latest malware definitions and real-time threat feeds from a global database of emerging threats. - Use Case: Cloud-assisted antivirus solutions quickly identify newly discovered malware by cross-referencing against global threat databases, providing real-time protection against zero-day attacks.

**Tools for Implementation**:

- Endpoint Security Platforms: Use solutions such as EDR for comprehensive antivirus/antimalware protection across all systems. - Centralized Management: Implement centralized antivirus management consoles that provide visibility into threat activity, enable policy enforcement, and automate updates. - Behavioral Analysis Tools: Leverage solutions with advanced behavioral analysis capabilities to detect malicious activity patterns that don’t rely on known signatures.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
2.0
Created
Modified
Raw hash
b1837167de060be5...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 2.0 Current bundle b1837167de06…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    polymorphic-blackberry

    Blackberry. (n.d.). What is Polymorphic Malware?. Retrieved September 27, 2024.

    Open source URL
  2. [2]
    polymorphic-sentinelone

    SentinelOne. (2023, March 18). What is Polymorphic Malware? Examples and Challenges. Retrieved September 27, 2024.

    Open source URL
  3. [3]
    polymorphic-linkedin

    Sherwin Akshay. (2024, May 28). Techniques for concealing malware and hindering analysis: Packing up and unpacking stuff. Retrieved September 27, 2024.

    Open source URL
  4. [4]
    polymorphic-medium

    Shellseekercyber. (2024, January 7). Explainer: Packed Malware. Retrieved September 27, 2024.

    Open source URL
  5. [5]
    mitre-attack T1027.014
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use