title: Embedded Payloads (T1027.009)
id: df00tech-t1027-009
status: experimental
description: "Adversaries may embed payloads within other files to conceal malicious content from defenses. Otherwise seemingly benign files (such as scripts and executables) may be abused to carry and obfuscate malicious payloads and content. Adversaries have been observed embedding payloads as PE overlays, within resource sections of legitimate binaries, inside LNK file ExtraData fields, within Office VBA macros, and nested inside other file types. Notable examples include Emotet embedding executables in dropper binaries, DEADEYE embedding payloads in compiled binaries, Lazarus Group distributing malicious payloads in PNG files, Pikabot loading encrypted chunked PE sections, and Uroburos storing executable payloads in encrypted Queue files."
references:
  - https://attack.mitre.org/techniques/T1027/009/
  - https://df00tech.com/detections/T1027.009
author: df00tech
date: 2026/04/13
tags:
  - attack.t1027.009
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - certutil legitimately used by IT for certificate operations or legitimate file decoding in automation scripts
  - expand.exe used by Windows Update and software installers to decompress cabinet files
  - Office applications dropping temp files with .bin or .dat extensions during normal document processing
  - "PDF readers extracting embedded attachments from legitimate PDFs (forms, documents with attachments)"
level: high