Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1574.006: Dynamic Linker Hijacking

Adversaries may execute their own malicious payloads by hijacking environment variables the dynamic linker uses to load shared libraries. During the execution preparation phase of a program, the dynamic linker loads specified absolute paths of shared libraries from various environment variables and files, such as LD_PRELOAD on Linux or DYLD_INSERT_LIBRARIES on macOS.[1][2][3] Libraries specified in environment variables are loaded first, taking precedence over system libraries with the same function name.[4][5][6] Each platform's linker uses an extensive list of environment variables at different points in execution. These variables are often used by developers to debug binaries without needing to recompile, deconflict mapped symbols, and implement custom functions in the original library.[7]

Hijacking dynamic linker variables may grant access to the victim process's memory, system/network resources, and possibly elevated privileges. On Linux, adversaries may set LD_PRELOAD to point to malicious libraries that match the name of legitimate libraries which are requested by a victim program, causing the operating system to load the adversary's malicious code upon execution of the victim program. For example, adversaries have used `LD_PRELOAD` to inject a malicious library into every descendant process of the `sshd` daemon, resulting in execution under a legitimate process. When the executing sub-process calls the `execve` function, for example, the malicious library’s `execve` function is executed rather than the system function `execve` contained in the system library on disk. This allows adversaries to Hide Artifacts from detection, as hooking system functions such as `execve` and `readdir` enables malware to scrub its own artifacts from the results of commands such as `ls`, `ldd`, `iptables`, and `dmesg`.[8][9][10]

Hijacking dynamic linker variables may grant access to the victim process's memory, system/network resources, and possibly elevated privileges.

EnterpriseT1574.006Sub-techniqueObject v3.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Dynamic Linker Hijacking matters because a Linux or macOS program can be made to load an attacker-controlled shared library before the expected system library. That can turn otherwise legitimate processes into execution and stealth vehicles, potentially exposing process memory, system or network resources, and privileges associated with the victim process. For leaders, the key issue is not just malware execution; it is whether Unix-like servers, macOS endpoints, container-adjacent Linux systems, and network appliances have enough hardening and telemetry to prove trusted code is being loaded at runtime.

Executive priority

Prioritize this where Linux or macOS systems support business-critical services, identity infrastructure, developer workstations, cloud workloads, or appliances. The ATT&CK relationships tie this behavior to Hijack Execution Flow and to malware families affecting Linux, macOS, containers/IaaS, and network devices, so coverage should be assessed as part of resilience, incident response readiness, and audit evidence for execution control and operating system hardening. Executives should ask whether teams can identify suspicious dynamic linker environment variables and unauthorized shared library loading before an incident depends on forensic reconstruction.

Technical view

ATT&CK lists this as a Linux and macOS sub-technique under Hijack Execution Flow, with tactics of execution and stealth. The behavior centers on dynamic linker variables and files such as LD_PRELOAD on Linux and DYLD_INSERT_LIBRARIES on macOS, where specified libraries can take precedence during program startup. SOC and IR teams should validate visibility into process launches, inherited environment variables, shared library loads, modified or unusual .so/dylib files, and trusted processes unexpectedly loading nonstandard libraries. Particular attention should be paid to long-running service parents and descendants, such as the ATT&CK-described sshd example, because malicious library loading may occur under otherwise legitimate process names.

Likely telemetry

  • Process creation events with command line, parent/child process lineage, user, and executable path on Linux and macOS
  • Captured process environment variables or equivalent endpoint telemetry showing dynamic linker variables such as LD_PRELOAD and DYLD_INSERT_LIBRARIES
  • Dynamic/shared library load telemetry, including library path, process name, signer or file metadata where available, and load order indicators
  • File creation/modification events for shared libraries and dynamic linker configuration-related locations
  • Integrity or configuration monitoring for operating system hardening baselines and unauthorized library paths

Detection direction

  • Because ATT&CK provides no official detection text, treat detection as a validation exercise rather than an assumed control.
  • Use the related DET0435 detection strategy as a starting point for engineering detections around Hijack Execution Flow: Dynamic Linker Hijacking.
  • Alert on risky dynamic linker environment variables applied to sensitive, privileged, externally exposed, or high-value processes, while accounting for legitimate developer/debugging use to reduce false positives.
  • Baseline expected shared libraries and load paths for critical services; investigate nonstandard writable paths, recently created libraries, or libraries loaded before expected system libraries.
  • Correlate suspicious library loading with stealth indicators described by ATT&CK, such as attempts to affect functions used by common administrative commands or hide artifacts from command output.

Mitigation priorities

  • Start with operating system configuration hardening aligned to M1028: reduce unnecessary functionality, protect dynamic linker-related configuration, and enforce secure defaults on Linux and macOS systems.
  • Apply execution prevention aligned to M1038: restrict unauthorized or untrusted code and shared libraries from executing or loading where feasible.
  • Prioritize critical servers, identity-facing services, developer build systems, cloud Linux workloads, macOS endpoints, and supported network devices because the supplied relationships include Linux, macOS, Containers, IaaS, and Network Devices in associated software context.
  • Use file integrity monitoring and change-control evidence for shared library locations and service runtime configuration to support compliance and IR readiness.
  • Ensure incident response playbooks include collection of process environment, library load evidence, service lineage, and suspicious shared libraries before systems are rebuilt or restarted.
Analyst notes and limits

This object is a sub-technique of T1574 Hijack Execution Flow and is scoped by ATT&CK to Linux and macOS for the technique itself. The official description emphasizes execution and stealth through dynamic linker behavior, including LD_PRELOAD and DYLD_INSERT_LIBRARIES, and notes possible access to process memory, system/network resources, and elevated privileges. Relationship context indicates one detection strategy and mitigations M1028 Operating System Configuration and M1038 Execution Prevention, plus observed use relationships to named groups and software; these relationships should inform threat modeling without implying current activity in any specific environment.

MITRE does not provide official detection guidance for this object in the supplied fields. The related detection strategy is named but not detailed here. Practical detection quality depends on whether the organization collects environment variables, shared library load events, and file integrity evidence on Linux and macOS. This take does not assess likelihood of exploitation, attribution, or customer exposure without local telemetry and threat intelligence.

Official MITRE ATT&CK definition

Dynamic Linker Hijacking

Adversaries may execute their own malicious payloads by hijacking environment variables the dynamic linker uses to load shared libraries. During the execution preparation phase of a program, the dynamic linker loads specified absolute paths of shared libraries from various environment variables and files, such as LD_PRELOAD on Linux or DYLD_INSERT_LIBRARIES on macOS.[1][2][3] Libraries specified in environment variables are loaded first, taking precedence over system libraries with the same function name.[4][5][6] Each platform's linker uses an extensive list of environment variables at different points in execution. These variables are often used by developers to debug binaries without needing to recompile, deconflict mapped symbols, and implement custom functions in the original library.[7]

Hijacking dynamic linker variables may grant access to the victim process's memory, system/network resources, and possibly elevated privileges. On Linux, adversaries may set LD_PRELOAD to point to malicious libraries that match the name of legitimate libraries which are requested by a victim program, causing the operating system to load the adversary's malicious code upon execution of the victim program. For example, adversaries have used `LD_PRELOAD` to inject a malicious library into every descendant process of the `sshd` daemon, resulting in execution under a legitimate process. When the executing sub-process calls the `execve` function, for example, the malicious library’s `execve` function is executed rather than the system function `execve` contained in the system library on disk. This allows adversaries to Hide Artifacts from detection, as hooking system functions such as `execve` and `readdir` enables malware to scrub its own artifacts from the results of commands such as `ls`, `ldd`, `iptables`, and `dmesg`.[8][9][10]

Hijacking dynamic linker variables may grant access to the victim process's memory, system/network resources, and possibly elevated privileges.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1574 Hijack Execution Flow This object subtechnique of Hijack Execution Flow.
Associated objects

Groups, software, and campaigns

Group Enterprise

G0143: Aquatic Panda

Aquatic Panda is a suspected China-based threat group with a dual mission of intelligence collection and industrial espionage. Active since at least May 2020, Aquatic Panda has primarily targeted entities in the telecommunications, technology, and government sectors.[1]

Group Enterprise

G0106: Rocke

Rocke is an alleged Chinese-speaking adversary whose primary objective appeared to be cryptojacking, or stealing victim system resources for the purposes of mining cryptocurrency. The name Rocke comes from the email address "rocke@live.cn" used to create the wallet which held collected cryptocurrency. Researchers have detected overlaps between Rocke and the Iron Cybercrime Group, though this attribution has not been confirmed.[1]

Group Enterprise

G0096: APT41

APT41 is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, APT41 has been observed targeting various industries, including but not limited to healthcare, telecom, technology, finance, education, retail and video game industries in 14 countries.[1] Notable behaviors include using a wide range of malware and tools to complete mission objectives. APT41 overlaps at least partially with public reporting on groups including BARIUM and Winnti Group.[2][3]

Malware Enterprise

S0601: Hildegard

Hildegard is malware that targets misconfigured kubelets for initial access and runs cryptocurrency miner operations. The malware was first observed in January 2021. The TeamTNT activity group is believed to be behind Hildegard. [1]

LinuxContainersIaaS
Malware Enterprise

S0394: HiddenWasp

HiddenWasp is a Linux-based Trojan used to target systems for remote control. It comes in the form of a statically linked ELF binary with stdlibc++.[1]

Linux
Malware Enterprise

S0658: XCSSET

XCSSET is a modular macOS malware family delivered through infected Xcode projects and executed when the project is compiled. Active since August 2020, it has been observed installing backdoors, spoofed browsers, collecting data, and encrypting user files. It is composed of SHC-compiled shell scripts and run-only AppleScripts, often hiding in apps that mimic system tools (such as Xcode, Mail, or Notes) or use familiar icons (like Launchpad) to avoid detection.[1][2][3]

macOS
Malware Enterprise

S9024: SPAWNCHIMERA

SPAWNCHIMERA is a backdoor that supports command and control and can inject malicious components into native processes.[1][2][3] SPAWNCHIMERA It incorporates capabilities from multiple tools within the SPAWN malware family, including SPAWNANT, SPAWNMOLE, and SPAWNSNAIL.[4][2][3] SPAWNCHIMERA was first reported in April 2024.[2] SPAWNCHIMERA has been observed in activity attributed to People's Republic of China (PRC) state-sponsored threat actors, including UNC5221..[4][5][2][6]

LinuxNetwork Devices
Malware Enterprise

S1105: COATHANGER

COATHANGER is a remote access tool (RAT) targeting FortiGate networking appliances. First used in 2023 in targeted intrusions against military and government entities in the Netherlands along with other victims, COATHANGER was disclosed in early 2024, with a high confidence assessment linking this malware to a state-sponsored entity in the People's Republic of China. COATHANGER is delivered after gaining access to a FortiGate device, with in-the-wild observations linked to exploitation of CVE-2022-42475. The name COATHANGER is based on a unique string in the malware used to encrypt configuration files on disk: “She took his coat and hung it up”.[1]

LinuxNetwork Devices
Malware Enterprise

S1220: MEDUSA

MEDUSA is an open-source rootkit that is capable of dynamic linker hijacking, command execution, and logging credentials.[1]

Linux
Malware Enterprise

S0377: Ebury

Ebury is an OpenSSH backdoor and credential stealer targeting Linux servers and container hosts developed by Windigo. Ebury is primarily installed through modifying shared libraries (`.so` files) executed by the legitimate OpenSSH program. First seen in 2009, Ebury has been used to maintain a botnet of servers, deploy additional malware, and steal cryptocurrency wallets, credentials, and credit card details.[1][2][3][4]

Linux
Relationship explorer

All related ATT&CK context

mitigates · Mitigation M1028: Operating System Configuration Enterprise mitigates · Mitigation M1038: Execution Prevention Enterprise uses · Group G0143: Aquatic Panda Enterprise uses · Group G0106: Rocke Enterprise uses · Malware S0601: Hildegard Enterprise uses · Malware S0394: HiddenWasp Enterprise uses · Malware S0658: XCSSET Enterprise uses · Malware S9024: SPAWNCHIMERA Enterprise detects · Detection Strategy DET0435: Detection Strategy for Hijack Execution Flow: Dynamic Linker Hijacking Enterprise uses · Group G0096: APT41 Enterprise uses · Malware S1105: COATHANGER Enterprise uses · Malware S1220: MEDUSA Enterprise subtechnique of · Technique T1574: Hijack Execution Flow Enterprise uses · Malware S0377: Ebury Enterprise
Mitigations

Mitigation direction

Mitigation Enterprise

M1028: Operating System Configuration

Operating System Configuration involves adjusting system settings and hardening the default configurations of an operating system (OS) to mitigate adversary exploitation and prevent abuse of system functionality. Proper OS configurations address security vulnerabilities, limit attack surfaces, and ensure robust defense against a wide range of techniques. This mitigation can be implemented through the following measures:

Disable Unused Features:

- Turn off SMBv1, LLMNR, and NetBIOS where not needed. - Disable remote registry and unnecessary services.

Enforce OS-level Protections:

- Enable Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR), and Control Flow Guard (CFG) on Windows. - Use AppArmor or SELinux on Linux for mandatory access controls.

Secure Access Settings:

- Enable User Account Control (UAC) for Windows. - Restrict root/sudo access on Linux/macOS and enforce strong permissions using sudoers files.

File System Hardening:

- Implement least-privilege access for critical files and system directories. - Audit permissions regularly using tools like icacls (Windows) or getfacl/chmod (Linux/macOS).

Secure Remote Access:

- Restrict RDP, SSH, and VNC to authorized IPs using firewall rules. - Enable NLA for RDP and enforce strong password/lockout policies.

Harden Boot Configurations:

- Enable Secure Boot and enforce UEFI/BIOS password protection. - Use BitLocker or LUKS to encrypt boot drives.

Regular Audits:

- Periodically audit OS configurations using tools like CIS Benchmarks or SCAP tools.

*Tools for Implementation*

Windows:

- Microsoft Group Policy Objects (GPO): Centrally enforce OS security settings. - Windows Defender Exploit Guard: Built-in OS protection against exploits. - CIS-CAT Pro: Audit Windows security configurations based on CIS Benchmarks.

Linux/macOS:

- AppArmor/SELinux: Enforce mandatory access controls. - Lynis: Perform comprehensive security audits. - SCAP Security Guide: Automate configuration hardening using Security Content Automation Protocol.

Cross-Platform:

- Ansible or Chef/Puppet: Automate configuration hardening at scale. - OpenSCAP: Perform compliance and configuration checks.

Mitigation Enterprise

M1038: Execution Prevention

Prevent the execution of unauthorized or malicious code on systems by implementing application control, script blocking, and other execution prevention mechanisms. This ensures that only trusted and authorized code is executed, reducing the risk of malware and unauthorized actions. This mitigation can be implemented through the following measures:

Application Control:

- Use Case: Use tools like AppLocker or Windows Defender Application Control (WDAC) to create whitelists of authorized applications and block unauthorized ones. On Linux, use tools like SELinux or AppArmor to define mandatory access control policies for application execution. - Implementation: Allow only digitally signed or pre-approved applications to execute on servers and endpoints. (e.g., `New-AppLockerPolicy -PolicyType Enforced -FilePath "C:\Policies\AppLocker.xml"`)

Script Blocking:

- Use Case: Use script control mechanisms to block unauthorized execution of scripts, such as PowerShell or JavaScript. Web Browsers: Use browser extensions or settings to block JavaScript execution from untrusted sources. - Implementation: Configure PowerShell to enforce Constrained Language Mode for non-administrator users. (e.g., `Set-ExecutionPolicy AllSigned`)

Executable Blocking:

- Use Case: Prevent execution of binaries from suspicious locations, such as `%TEMP%` or `%APPDATA%` directories. - Implementation: Block execution of `.exe`, `.bat`, or `.ps1` files from user-writable directories.

Dynamic Analysis Prevention: - Use Case: Use behavior-based execution prevention tools to identify and block malicious activity in real time. - Implemenation: Employ EDR solutions that analyze runtime behavior and block suspicious code execution.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
3.0
Created
Modified
Raw hash
809e89f758ee7108...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 3.0 Current bundle 809e89f758ee…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    TheEvilBit DYLD_INSERT_LIBRARIES

    Fitzl, C. (2019, July 9). DYLD_INSERT_LIBRARIES DYLIB injection in macOS / OSX. Retrieved March 26, 2020.

    Open source URL
  2. [2]
    Timac DYLD_INSERT_LIBRARIES

    Timac. (2012, December 18). Simple code injection using DYLD_INSERT_LIBRARIES. Retrieved March 26, 2020.

    Open source URL
  3. [3]
    Gabilondo DYLD_INSERT_LIBRARIES Catalina Bypass

    Jon Gabilondo. (2019, September 22). How to Inject Code into Mach-O Apps. Part II.. Retrieved March 24, 2021.

    Open source URL
  4. [4]
    Man LD.SO

    Kerrisk, M. (2020, June 13). Linux Programmer's Manual. Retrieved June 15, 2020.

    Open source URL
  5. [5]
    TLDP Shared Libraries

    The Linux Documentation Project. (n.d.). Shared Libraries. Retrieved January 31, 2020.

    Open source URL
  6. [6]
    Apple Doco Archive Dynamic Libraries

    Apple Inc.. (2012, July 23). Overview of Dynamic Libraries. Retrieved March 24, 2021.

    Open source URL
  7. [7]
    Baeldung LD_PRELOAD

    baeldung. (2020, August 9). What Is the LD_PRELOAD Trick?. Retrieved March 24, 2021.

    Open source URL
  8. [8]
    ESET Ebury Oct 2017

    Vachon, F. (2017, October 30). Windigo Still not Windigone: An Ebury Update . Retrieved February 10, 2021.

    Open source URL
  9. [9]
    Intezer Symbiote 2022

    Joakim Kennedy and The BlackBerry Threat Research & Intelligence Team. (2022, June 9). Symbiote Deep-Dive: Analysis of a New, Nearly-Impossible-to-Detect Linux Threat. Retrieved March 24, 2025.

    Open source URL
  10. [10]
    Elastic Security Labs Pumakit 2024

    Remco Sprooten and Ruben Groenewoud. (2024, December 11). Declawing PUMAKIT. Retrieved March 24, 2025.

    Open source URL
  11. [11]
    mitre-attack T1574.006
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use