Info
ID: AT-RD002.002
Technique: Develop Capabilities
Tactic: Resource Development
Platforms: PRE
Malware
Malware development represents a critical component within the Resource Development phase of the cyber attack lifecycle, where adversaries create, acquire, or modify malicious software designed to compromise target systems. This sub-technique encompasses the production of various malware types including remote access trojans (RATs), ransomware, keyloggers, backdoors, rootkits, and information stealers specifically crafted to achieve adversarial objectives. Unlike publicly available tools, custom malware provides attackers with capabilities that can evade signature-based detection, maintain persistent access to compromised environments, and exfiltrate sensitive data while minimizing detection probability. Sophisticated threat actors often develop their malware with modular architectures, obfuscation techniques, and anti-analysis features to impede reverse engineering efforts and extend operational longevity. The development process may involve programming new code bases, modifying existing malware frameworks, or purchasing capabilities from specialized criminal marketplaces, with the ultimate goal of establishing a foundation for subsequent attack phases including Initial Access, Execution, and Persistence.
Procedure Examples
| ID | Name | Description |
|---|---|---|
| AC-0001 | ByBit $1.5B Crypto Heist | Development of macOS malware disguised as legitimate Docker project "MC-Based-Stock-Invest-Simulator-main" for social engineering delivery. The malware was designed to harvest AWS credentials and establish persistence on developer workstations. |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1056 | Pre-compromise | This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. |
Detection
Most develop capabilities activity occurs on infrastructure fully controlled by the adversary, well outside the defender’s telemetry boundary. As a result, there is no direct sensor-based detection opportunity for this technique prior to delivery. Visibility is instead gained when the finished malware artifact traverses an ingress point covered by other tactics (e.g., Gain Access or Payload Execution). Defenders should focus on supply-chain assurance, mandatory code-signing, and threat-intelligence ingestion rather than host or network-level analytics for this stage.