LIVE NEWSROOM · --:-- · May 24, 2026
A LIBRARY FOR SECURITY RESEARCHERS

MITRE ATT&CK  /  T1500

T1500

Compile After Delivery

Stealth

Description

Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Similar to [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027), text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as csc.exe or GCC/MinGW.(Citation: ClearSky MuddyWater Nov 2018)Source code payloads may also be encrypted, encoded, and/or embedded within other files, such as those delivered as a [Spearphishing Attachment](https://attack.mitre.org/techniques/T1193). Payloads may also be delivered in formats unrecognizable and inherently benign to the native OS (ex: EXEs on macOS/Linux) before later being (re)compiled into a proper executable binary with a bundled compiler and execution framework.(Citation: TrendMicro WindowsAppMac)

Platforms

LinuxmacOSWindows
Look up any technique

Use our free MITRE ATT&CK lookup tool, or browse the full ATT&CK matrix.

Source: MITRE ATT&CK Enterprise matrix. View on attack.mitre.org →

Scroll to Top