Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1614.001: System Language Discovery

Adversaries may attempt to gather information about the system language of a victim in order to infer the geographical location of that host. This information may be used to shape follow-on behaviors, including whether the adversary infects the target and/or attempts specific actions. This decision may be employed by malware developers and operators to reduce their risk of attracting the attention of specific law enforcement agencies or prosecution/scrutiny from other entities.[1]

There are various sources of data an adversary could use to infer system language, such as system defaults and keyboard layouts. Specific checks will vary based on the target and/or adversary, but may involve behaviors such as Query Registry and calls to Native API functions.[2]

For example, on a Windows system adversaries may attempt to infer the language of a system by querying the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\Language or parsing the outputs of Windows API functions GetUserDefaultUILanguage, GetSystemDefaultUILanguage, GetKeyboardLayoutList and GetUserDefaultLangID.[3][4][5]

On a macOS or Linux system, adversaries may query locale to retrieve the value of the $LANG environment variable.

EnterpriseT1614.001Sub-techniqueObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

System Language Discovery is a small discovery behavior with outsized decision value: malware or operators may check a host’s language, locale, or keyboard settings to infer geography and decide what to do next. For leaders, this matters because it can be part of automated targeting logic before ransomware, banking malware, backdoors, or espionage activity proceeds. By itself it is not proof of compromise, but in the right sequence it can help explain why suspicious code is profiling an endpoint before follow-on actions.

Executive priority

Prioritize this as a coverage-validation item rather than a standalone high-severity alert. ATT&CK associates this technique with multiple Windows malware families, including ransomware and backdoors, and with campaigns/groups, so it is useful for incident scoping, threat-informed detection engineering, and audit evidence that discovery behaviors are monitored. Ask whether SOC telemetry can show when endpoints query language/locale data, whether this is correlated with other discovery or execution activity, and whether incident responders can distinguish normal software localization checks from suspicious pre-infection gating.

Technical view

This is a Discovery sub-technique of System Location Discovery covering Linux, macOS, and Windows. On Windows, ATT&CK describes registry queries to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\Language and use of APIs such as GetUserDefaultUILanguage, GetSystemDefaultUILanguage, GetKeyboardLayoutList, and GetUserDefaultLangID. On macOS and Linux, ATT&CK describes querying locale to retrieve $LANG. No official MITRE detection text is provided, but the relationship context includes DET0565, Detection Strategy for System Language Discovery. SOC teams should validate detections around abnormal locale/language checks when they occur near suspicious execution, malware staging, broader host discovery, or activity linked to known software relationships such as Ryuk, SynAck, Maze, REvil, IcedID, Bazar, Clop, Cuba, and related backdoors listed by ATT&CK.

Likely telemetry

  • Windows process execution and command-line telemetry for tools or scripts querying locale, language, keyboard layout, or registry language keys.
  • Windows registry access telemetry for HKLM\SYSTEM\CurrentControlSet\Control\Nls\Language.
  • Endpoint/EDR telemetry that can expose calls or behavioral indicators related to language and keyboard layout API usage where available.
  • Linux and macOS process execution telemetry for locale commands and environment-variable inspection involving $LANG.
  • Parent/child process context showing whether language discovery occurred from expected software installers/localized applications or from unusual binaries, scripts, downloaders, or backdoors.

Detection direction

  • Do not alert on language checks in isolation without context; many legitimate applications check locale for localization.
  • Tune for suspicious parent processes, newly introduced binaries, scripts, malware-like execution chains, or language checks occurring immediately before other discovery, persistence, credential, or impact behaviors.
  • Validate DET0565 or equivalent internal analytics against the specific data sources available in the environment, because ATT&CK does not provide official detection logic for this object.
  • Create platform-specific coverage: registry/API-oriented monitoring for Windows and process/environment monitoring for Linux and macOS.
  • Use relationship context to enrich investigations, not to assert attribution: ATT&CK links this behavior to multiple groups, campaigns, and software families, but local evidence is required before drawing conclusions.

Mitigation priorities

  • Focus first on visibility and correlation rather than blocking all locale checks, since language discovery is commonly legitimate.
  • Ensure endpoint logging captures process lineage, command line, registry access where appropriate, and sufficient EDR behavioral context across Windows, Linux, and macOS.
  • Use least privilege, application control, and execution-control baselines to reduce the chance that untrusted binaries or scripts can run discovery logic unchecked.
  • In incident response playbooks, treat unexpected language discovery as a profiling signal and pivot to surrounding execution, persistence, network, and follow-on discovery evidence.
  • For compliance and readiness evidence, document how discovery behaviors are logged, retained, triaged, and correlated with broader ATT&CK-based detections.
Analyst notes and limits

This technique is most valuable as a contextual signal. Its business relevance comes from helping identify malware or operator decision logic that may precede infection, selective execution, or additional actions. The supplied relationships show use by multiple ATT&CK-tracked campaigns, groups, and software entries, including ransomware and backdoor families, but those relationships should guide enrichment and prioritization rather than attribution.

Official MITRE detection guidance is not provided for this technique. The ATT&CK object supplies behavior examples and platform scope, but not specific analytics, data source requirements, severity, or mitigation text. Local telemetry quality, process context, baselines for legitimate localization behavior, and correlation with other events are required to assess risk accurately.

Official MITRE ATT&CK definition

System Language Discovery

Adversaries may attempt to gather information about the system language of a victim in order to infer the geographical location of that host. This information may be used to shape follow-on behaviors, including whether the adversary infects the target and/or attempts specific actions. This decision may be employed by malware developers and operators to reduce their risk of attracting the attention of specific law enforcement agencies or prosecution/scrutiny from other entities.[1]

There are various sources of data an adversary could use to infer system language, such as system defaults and keyboard layouts. Specific checks will vary based on the target and/or adversary, but may involve behaviors such as Query Registry and calls to Native API functions.[2]

For example, on a Windows system adversaries may attempt to infer the language of a system by querying the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\Language or parsing the outputs of Windows API functions GetUserDefaultUILanguage, GetSystemDefaultUILanguage, GetKeyboardLayoutList and GetUserDefaultLangID.[3][4][5]

On a macOS or Linux system, adversaries may query locale to retrieve the value of the $LANG environment variable.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1614 System Location Discovery This object subtechnique of System Location Discovery.
Associated objects

Groups, software, and campaigns

Group Enterprise

G0004: Ke3chang

Ke3chang is a threat group attributed to actors operating out of China. Ke3chang has targeted oil, government, diplomatic, military, and NGOs in Central and South America, the Caribbean, Europe, and North America since at least 2010.[1][2][3][4]

Group Enterprise

G1054: MirrorFace

MirrorFace is a People's Republic of China (PRC)-aligned cyberespionage actor believed to be a subgroup under the menuPass umbrella based on targeting, tools, and infrastructure overlaps. MirrorFace has been active since at least 2019, at first exclusively targeting Japanese organizations across the media, defense, diplomatic, financial, manufacturing, and academic sectors. Subsequent MirrorFace operations included targets in Central Europe and featured use of LODEINFO, HiddenFace, and UPPERCUT malware.[1][2][3][4][5][6]

Group Enterprise

G1043: BlackByte

BlackByte is a ransomware threat actor operating since at least 2021. BlackByte is associated with several versions of ransomware also labeled BlackByte Ransomware. BlackByte ransomware operations initially used a common encryption key allowing for the development of a universal decryptor, but subsequent versions such as BlackByte 2.0 Ransomware use more robust encryption mechanisms. BlackByte is notable for operations targeting critical infrastructure entities among other targets across North America.[1][2][3][4][5]

Group Enterprise

G1053: Storm-0501

Storm-0501 is a financially motivated cyber criminal group that uses commodity and open-source tools to conduct ransomware operations. Storm-0501 has been active since 2021 and has previously been affiliated with Sabbath Ransomware and other Ransomware-as-a-Service (RaaS) variants such as Hive, BlackCat, Hunters International, LockBit 3.0, and Embargo ransomware.[1][2][3][4]

Group Enterprise

G1026: Malteiro

Malteiro is a financially motivated criminal group that is likely based in Brazil and has been active since at least November 2019. The group operates and distributes the Mispadu banking trojan via a Malware-as-a-Service (MaaS) business model. Malteiro mainly targets victims throughout Latin America (particularly Mexico) and Europe (particularly Spain and Portugal).[1]

Malware Enterprise

S1153: Cuckoo Stealer

Cuckoo Stealer is a macOS malware with characteristics of spyware and an infostealer that has been in use since at least 2024. Cuckoo Stealer is a universal Mach-O binary that can run on Intel or ARM-based Macs and has been spread through trojanized versions of various potentially unwanted programs or PUP's such as converters, cleaners, and uninstallers.[1][2]

macOS
Malware Enterprise

S0658: XCSSET

XCSSET is a modular macOS malware family delivered through infected Xcode projects and executed when the project is compiled. Active since August 2020, it has been observed installing backdoors, spoofed browsers, collecting data, and encrypting user files. It is composed of SHC-compiled shell scripts and run-only AppleScripts, often hiding in apps that mimic system tools (such as Xcode, Mail, or Notes) or use familiar icons (like Launchpad) to avoid detection.[1][2][3]

macOS
Malware Enterprise

S0625: Cuba

Cuba is a Windows-based ransomware family that has been used against financial institutions, technology, and logistics organizations in North and South America as well as Europe since at least December 2019.[1]

Windows
Malware Enterprise

S0696: Flagpro

Flagpro is a Windows-based, first-stage downloader that has been used by BlackTech since at least October 2020. It has primarily been used against defense, media, and communications companies in Japan.[1]

Windows
Malware Enterprise

S0483: IcedID

IcedID is a modular banking malware designed to steal financial information that has been observed in the wild since at least 2017. IcedID has been downloaded by Emotet in multiple campaigns.[1][2]

Windows
Malware Enterprise

S0640: Avaddon

Avaddon is ransomware written in C++ that has been offered as Ransomware-as-a-Service (RaaS) since at least June 2020.[1][2]

Windows
Malware Enterprise

S0449: Maze

Maze ransomware, previously known as "ChaCha", was discovered in May 2019. In addition to encrypting files on victim machines for impact, Maze operators conduct information stealing campaigns prior to encryption and post the information online to extort affected companies.[1][2][3]

Windows
Malware Enterprise

S1122: Mispadu

Mispadu is a banking trojan written in Delphi that was first observed in 2019 and uses a Malware-as-a-Service (MaaS) business model.[1][2] This malware is operated, managed, and sold by the Malteiro cybercriminal group.[2] Mispadu has mainly been used to target victims in Brazil and Mexico, and has also had confirmed operations throughout Latin America and Europe.[2][3][4]

Windows
Malware Enterprise

S1228: PUBLOAD

PUBLOAD is a stager malware that has been observed installing itself in existing directories such as `C:\Users\Public` or creating new directories to stage the malware and its components.[1] PUBLOAD malware collects details of the victim host, establishes persistence, encrypts victim details using RC4 and communicates victim details back to C2. PUBLOAD malware has previously been leveraged by China-affiliated actors identified as Mustang Panda. PUBLOAD is also known as “NoFive” and some public reporting identifies the loader component as CLAIMLOADER.[2]

Windows
Malware Enterprise

S0446: Ryuk

Ryuk is a ransomware designed to target enterprise environments that has been used in attacks since at least 2018. Ryuk shares code similarities with Hermes ransomware.[1][2][3]

Windows
Campaign Enterprise

C0022: Operation Dream Job

Operation Dream Job was a cyber espionage operation likely conducted by Lazarus Group that targeted the defense, aerospace, government, and other sectors in the United States, Israel, Australia, Russia, and India. In at least one case, the cyber actors tried to monetize their network access to conduct a business email compromise (BEC) operation. In 2020, security researchers noted overlapping TTPs, to include fake job lures and code similarities, between Operation Dream Job, Operation North Star, and Operation Interception; by 2022 security researchers described Operation Dream Job as an umbrella term covering both Operation Interception and Operation North Star.[1][2][3][4]

Campaign Enterprise

C0061: Operation Digital Eye

Operation Digital Eye was conducted in June and July of 2024 by suspected People's Republic of China (PRC)-nexus threat actors targeting business-to-business IT service providers in Southern Europe. Operation Digital Eye activity included the use of Visual Studio Code tunnels for command and control (C2) and custom lateral movement capabilities. Overlaps in tooling between Digital Eye and previous China-nexus campaigns, Operation Soft Cell and Operation Tainted Love, indicate the potential use of shared vendors or digital quartermasters.[1]

Relationship explorer

All related ATT&CK context

uses · Campaign C0022: Operation Dream Job Enterprise uses · Malware S1153: Cuckoo Stealer Enterprise uses · Malware S0652: MarkiRAT Enterprise uses · Malware S0658: XCSSET Enterprise uses · Malware S0625: Cuba Enterprise uses · Group G0004: Ke3chang Enterprise uses · Malware S0696: Flagpro Enterprise uses · Malware S0483: IcedID Enterprise uses · Malware S0640: Avaddon Enterprise uses · Malware S0449: Maze Enterprise uses · Group G1054: MirrorFace Enterprise uses · Malware S1122: Mispadu Enterprise uses · Malware S0543: Spark Enterprise uses · Malware S1228: PUBLOAD Enterprise uses · Group G1043: BlackByte Enterprise uses · Malware S0446: Ryuk Enterprise uses · Campaign C0061: Operation Digital Eye Enterprise uses · Malware S1138: Gootloader Enterprise uses · Malware S0085: S-Type Enterprise uses · Malware S9020: LODEINFO Enterprise uses · Malware S0534: Bazar Enterprise uses · Malware S0616: DEATHRANSOM Enterprise uses · Malware S0691: Neoichor Enterprise uses · Malware S0611: Clop Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
8c3b7719d5bd196a...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle 8c3b7719d5bd…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Malware System Language Check

    Pierre-Marc Bureau. (2009, January 15). Malware Trying to Avoid Some Countries. Retrieved August 18, 2021.

    Open source URL
  2. [2]
    CrowdStrike Ryuk January 2019

    Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020.

    Open source URL
  3. [3]
    Darkside Ransomware Cybereason

    Cybereason Nocturnus. (2021, April 1). Cybereason vs. Darkside Ransomware. Retrieved August 18, 2021.

    Open source URL
  4. [4]
    Securelist JSWorm

    Fedor Sinitsyn. (2021, May 25). Evolution of JSWorm Ransomware. Retrieved August 18, 2021.

    Open source URL
  5. [5]
    SecureList SynAck Doppelgänging May 2018

    Ivanov, A. et al. (2018, May 7). SynAck targeted ransomware uses the Doppelgänging technique. Retrieved May 22, 2018.

    Open source URL
  6. [6]
    mitre-attack T1614.001
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use