T1614: System Location Discovery
Adversaries may gather information in an attempt to calculate the geographical location of a victim host. Adversaries may use the information from System Location Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Adversaries may attempt to infer the location of a system using various system checks, such as time zone, keyboard layout, and/or language settings.[1][2][3] Windows API functions such as GetLocaleInfoW can also be used to determine the locale of the host.[1] In cloud environments, an instance's availability zone may also be discovered by accessing the instance metadata service from the instance.[4][5]
Adversaries may also attempt to infer the location of a victim host using IP addressing, such as via online geolocation IP-lookup services.[6][2]
Analyst context for executives and security teams
System Location Discovery is a reconnaissance behavior where malware or an operator tries to infer where a host or cloud instance is located using locale, language, keyboard, time zone, IP geolocation, or cloud metadata such as availability zone. Its business significance is that location can influence what the adversary does next, including whether to continue infection or choose specific follow-on actions. For leaders, this is not usually a high-impact event by itself, but it can be an early context signal that an intrusion is profiling the environment before deeper access or payload deployment.
Executive priority
Prioritize this as part of discovery-stage visibility and response readiness, especially for organizations with geographically segmented operations, cloud workloads, regulated data residency requirements, or critical infrastructure exposure. Executives should ask whether SOC and IR teams can distinguish normal software inventory/localization checks from suspicious host profiling, and whether cloud metadata access is monitored well enough to support incident reconstruction. Because the ATT&CK object has no official detection text, coverage should be validated rather than assumed.
Technical view
T1614 applies to IaaS, Linux, macOS, and Windows under the Discovery tactic. Defenders should validate telemetry for attempts to read system locale, language, keyboard layout, and time zone settings; Windows locale API usage such as GetLocaleInfoW where endpoint tooling exposes it; outbound requests to IP geolocation services; and access to cloud instance metadata services for availability zone or identity document information. Relationship context shows this behavior associated with multiple RATs, loaders, stealers, ransomware, and groups, plus the System Language Discovery sub-technique T1614.001. Treat it as a correlation signal: more meaningful when paired with execution, persistence, command-and-control, downloader, or ransomware-preparation activity than when observed alone.
Likely telemetry
- Endpoint process, script, and command-line telemetry related to locale, language, keyboard, and time zone discovery
- Endpoint API or behavioral telemetry showing Windows locale queries where available
- Network, DNS, proxy, or EDR network telemetry for outbound IP geolocation lookups
- Cloud workload telemetry for requests from instances to instance metadata services, including availability-zone or instance-identity-document access
- Host inventory and configuration data needed to baseline legitimate localization checks
Detection direction
- Use DET0043, if available in the local ATT&CK content set, as a starting point, but validate it against local telemetry because the official ATT&CK detection field for T1614 is not provided.
- Baseline legitimate locale and metadata queries from operating systems, management agents, installers, browsers, and cloud agents to reduce false positives.
- Tune for unusual parent processes, scripting runtimes, recently delivered binaries, or malware-like chains performing location checks shortly after execution.
- Correlate external geolocation service access with suspicious process lineage or other discovery behavior; geolocation lookups alone can be benign.
- In cloud environments, review whether metadata service access is visible from workloads and whether unusual metadata reads can be tied back to process or instance context.
Mitigation priorities
- Establish endpoint and cloud logging coverage first; this technique is difficult to action without process, network, and cloud workload context.
- Harden and monitor access to cloud instance metadata services according to provider guidance, especially for workloads that do not require metadata access.
- Apply egress monitoring or policy controls for unnecessary outbound access to IP geolocation services, while accounting for legitimate application use.
- Use application control, script control, and least-privilege execution policies to reduce opportunities for untrusted code to perform automated host profiling.
- Document detection and response evidence for compliance programs that require proof of discovery-stage monitoring and incident reconstruction capability.
Analyst notes and limits
The relationship set is useful because it shows T1614 appearing across many software families, including RATs, loaders, stealers, and ransomware-related tooling, and includes a related group with critical infrastructure context. That makes the technique valuable for enrichment and triage, but not for standalone attribution. The sub-technique T1614.001 narrows part of the behavior to system language discovery on Linux, macOS, and Windows.
MITRE does not provide an official detection section for this technique in the supplied object. No mitigations are explicitly listed in the supplied fields. Local environment baselines are required because locale, time zone, language, geolocation, and cloud metadata checks can be routine in legitimate software and cloud operations.
System Location Discovery
Adversaries may gather information in an attempt to calculate the geographical location of a victim host. Adversaries may use the information from System Location Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Adversaries may attempt to infer the location of a system using various system checks, such as time zone, keyboard layout, and/or language settings.[1][2][3] Windows API functions such as GetLocaleInfoW can also be used to determine the locale of the host.[1] In cloud environments, an instance's availability zone may also be discovered by accessing the instance metadata service from the instance.[4][5]
Adversaries may also attempt to infer the location of a victim host using IP addressing, such as via online geolocation IP-lookup services.[6][2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1614.001 | System Language Discovery Sub-technique | System Language Discovery subtechnique of this object. |
Groups, software, and campaigns
G1008: SideCopy
SideCopy is a Pakistani threat group that has primarily targeted South Asian countries, including Indian and Afghani government personnel, since at least 2019. SideCopy's name comes from its infection chain that tries to mimic that of Sidewinder, a suspected Indian threat group.[1]
G1017: Volt Typhoon
Volt Typhoon is a People's Republic of China (PRC) state-sponsored actor that has been active since at least 2021, primarily targeting critical infrastructure organizations in the US and its territories including Guam. Volt Typhoon's targeting and pattern of behavior have been assessed as pre-positioning to enable lateral movement to operational technology (OT) assets for potential destructive or disruptive attacks. Volt Typhoon has emphasized stealth in operations using web shells, living-off-the-land (LOTL) binaries, hands on keyboard activities, and stolen credentials.[1][2][3][4]. The group has leveraged compromised SOHO routers to proxy command and control traffic and obscure its infrastructure, activity associated with the KV botnet.[5].
Reporting indicates a separate initial access cluster, SYLVANITE, has been observed exploiting internet-facing edge devices and transferring access to Volt Typhoon, also tracked as VOLTZITE, for follow-on operations. [6]
S0673: DarkWatchman
DarkWatchman is a lightweight JavaScript-based remote access tool (RAT) that avoids file operations; it was first observed in November 2021.[1]
S1138: Gootloader
Gootloader is a Javascript-based infection framework that has been used since at least 2020 as a delivery method for the Gootkit banking trojan, Cobalt Strike, REvil, and others. Gootloader operates on an "Initial Access as a Service" model and has leveraged SEO Poisoning to provide access to entities in multiple sectors worldwide including financial, military, automotive, pharmaceutical, and energy.[1][2]
S0013: PlugX
S1153: Cuckoo Stealer
Cuckoo Stealer is a macOS malware with characteristics of spyware and an infostealer that has been in use since at least 2024. Cuckoo Stealer is a universal Mach-O binary that can run on Intel or ARM-based Macs and has been spread through trojanized versions of various potentially unwanted programs or PUP's such as converters, cleaners, and uninstallers.[1][2]
S9034: Tsundere Botnet
Tsundere Botnet is a botnet first reported in mid-2025 that is delivered via MSI installer or a PowerShell script. It leverages Node.js and JavaScript for payload delivery and execution, and uses smart contracts on the blockchain to host command and control (C2) addresses. Tsundere Botnet is attributed to a likely Russian-speaking threat actor.
A variant named DinDoor has been linked to MuddyWater operations and uses the Deno runtime for execution rather than Node.js.[1][2][3][4]
S1111: DarkGate
DarkGate first emerged in 2018 and has evolved into an initial access and data gathering tool associated with various criminal cyber operations. Written in Delphi and named "DarkGate" by its author, DarkGate is associated with credential theft, cryptomining, cryptotheft, and pre-ransomware actions.[1] DarkGate use increased significantly starting in 2022 and is under active development by its author, who provides it as a Malware-as-a-Service offering.[2]
S1124: SocGholish
SocGholish is a JavaScript-based loader malware that has been used since at least 2017. It has been observed in use against multiple sectors globally for initial access, primarily through drive-by-downloads masquerading as software updates. SocGholish is operated by Mustard Tempest and its access has been sold to groups including Indrik Spider for downloading secondary RAT and ransomware payloads.[1][2][3][4]
S1248: XORIndex Loader
XORIndex Loader is a XOR-encoded loader that collects host data, decodes follow-on scripts and acts as a downloader for the BeaverTail malware. XORIndex Loader was first reported in June 2025. XORIndex Loader has been leveraged by North Korea-affiliated threat actors identified as Contagious Interview. XORIndex Loader has been delivered to victims through code repository sites utilizing typo squatting naming conventions of various npm packages.[1]
S0262: QuasarRAT
S9030: SameCoin
S9019: PureCrypter
PureCrypter is a fully-featured malware loader, developed by a threat actor called “PureCoder," that has been in use since at least 2021 to distribute a variety of remote access trojans and information stealers.[1]
S0461: SDBbot
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | fa863d2a8b00… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
FBI Ragnar Locker 2020
FBI. (2020, November 19). Indicators of Compromise Associated with Ragnar Locker Ransomware. Retrieved September 12, 2024.
Open source URL -
[2]
Sophos Geolocation 2016
Wisniewski, C. (2016, May 3). Location-based threats: How cybercriminals target you based on where you live. Retrieved April 1, 2021.
Open source URL -
[3]
Bleepingcomputer RAT malware 2020
Abrams, L. (2020, October 23). New RAT malware gets commands via Discord, has ransomware feature. Retrieved April 1, 2021.
Open source URL -
[4]
AWS Instance Identity Documents
Amazon. (n.d.). Instance identity documents. Retrieved April 2, 2021.
Open source URL -
[5]
Microsoft Azure Instance Metadata 2021
Microsoft. (2021, February 21). Azure Instance Metadata Service (Windows). Retrieved April 2, 2021.
Open source URL -
[6]
Securelist Trasparent Tribe 2020
Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved April 1, 2021.
Open source URL -
[7]
mitre-attack T1614Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.