{
	"id": "ba7a31da-41ae-4fed-a824-b4971fe709cf",
	"created_at": "2026-04-06T00:10:33.029061Z",
	"updated_at": "2026-04-10T13:11:44.340099Z",
	"deleted_at": null,
	"sha1_hash": "ff4fdc6922f9040689c5b2027c383f74305b05e4",
	"title": "Portable Executable File Infecting Malware Is Increasingly Found in OT Networks | Mandiant",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1403662,
	"plain_text": "Portable Executable File Infecting Malware Is Increasingly Found\r\nin OT Networks | Mandiant\r\nBy Mandiant\r\nPublished: 2021-10-27 · Archived: 2026-04-05 12:54:14 UTC\r\nWritten by: Ken Proska, Corey Hildebrandt, Daniel Kapellmann Zafra, Nathan Brubaker\r\nWhile researching files associated with a range of operational technology (OT) original equipment manufacturers\r\n(OEM), Mandiant Threat Intelligence uncovered a large number of legitimate portable executable (PE) binaries\r\naffected by various types of PE infecting malware. The infected files include binaries associated with\r\nprogrammable logical controllers (PLC), OLE for process control (OPC) communications, human-machine\r\ninterface (HMI) applications, and other OT functions supported by Windows-based devices at levels 2 and 3 of the\r\nPurdue Model.\r\nA PE is a file format developed by Microsoft used for executables (.EXE, .SCR) and dynamic link libraries\r\n(.DLL). A PE file infector is a malware family that propagates by appending or wrapping malicious code into\r\nother PE files on an infected system. PE infectors are not particularly complex and can be detected by most\r\nantivirus products. However, this has not stopped such malware from spreading to OT networks where slight\r\ndeviations in performance or system conditions may result in adverse outcomes.\r\nFor this blog post, we examined 1,200 infected files associated with ten OEMs in a known malware analysis\r\nplatform from 2010 through 2021. These malicious executables contain infected versions of legitimate PE files as\r\nindicated by valid embedded certificates from the vendors. Although we have no indications that this activity is\r\ntargeting OT systems, our research highlights that actors can often succeed in crossing the OT security perimeter\r\neven with simple tactics.\r\nTo gain access to comprehensive coverage of OT and IT threat actor activity, check out Mandiant Advantage Free\r\nand Fusion cyber threat intelligence offerings.\r\nPE Infecting Malware Is Increasingly Observed in OT Binaries Since 2010\r\nMandiant hunted for infected samples and uncovered over 1200 infected PEs associated with ten OT OEMs tested\r\nin an online malware analysis sandbox from 2010 through 2021. The list of OEMs included Siemens, Emerson,\r\nSchneider Electric, Rockwell Automation/Allen Bradley, ABB, Schweitzer Engineering, Honeywell, GE Fanuc,\r\nKepware, and Invensys. In 2010, only three PEs were tested on the platform, but that number increased to 526 PEs\r\nin the first six months of 2021 alone. While we are not able to definitively state the reason for this significant\r\nincrease, there are a few possible explanations.\r\nSince 2010, awareness of security in OT networks has dramatically increased. As a result, OT security\r\nteams increasingly deploy anti-virus measures to Windows-based systems and test more suspicious files,\r\nhttps://www.mandiant.com/resources/pe-file-infecting-malware-ot\r\nPage 1 of 8\n\nsome of which include the identified PE infectors.\r\nIT-OT convergence has led to increasing connectivity of OT networks, potentially resulting in increased\r\nexposure to IT malware like PE infectors.\r\nLimited use of anti-virus and other security measures in OT has allowed the malware to spread and persist\r\nover the last decade.\r\nOT defenders are increasingly using known malware analysis platforms to review software from Windows-based systems in OT.\r\nFigure 1 shows the upward trend of infected OEM OT executables between 2010 and mid-2021. Mandiant does\r\nnot have enough information to explain the sudden drop in observed cases during 2019. However, given the\r\nobservable trend, we believe it may be related to modifications in the malware analysis repository we queried.\r\nFigure 1: Number of infected OT executables over time\r\nThe trend highlighted in Figure 1 is consistent with the fact that the OT security community is relatively new and\r\nbegan to develop mainly after the Stuxnet incident in 2011. We have observed similar growth in other areas, such\r\nas information sharing for OT vulnerabilities. We also highlight that the number of infections we present only\r\nincludes analysis of executables from ten major OEMs in one known malware analysis platform, however, the\r\nnumber of actual infections across the industry is likely much higher.\r\nhttps://www.mandiant.com/resources/pe-file-infecting-malware-ot\r\nPage 2 of 8\n\nDownload a copy of our sample of infected files. We note that in some cases automated analysis was unable to\r\ndetermine the specific malware and the list may include a small number of other types of malware posing as OT\r\nsoftware.\r\nPE Infectors Can Propagate Easily Without Targeting Specific Victims\r\nMandiant has no information to indicate that any of the PE infectors we uncovered were specifically targeting OT\r\nsystems. Due to the worm-like nature of many PE infectors, there are multiple scenarios and attack vectors in\r\nwhich OT assets can become infected, most often without being specifically targeted. Table 1 provides a non-exhaustive list of examples.\r\nTable 1: Threat vector analysis\r\nPE infectors often propagate by scanning filesystems, memory, local drives, network shares, and portable media\r\nfor clean PE files and, once located, alter the clean PE by appending malicious code. For example, when the\r\nmalware finds a file such as “EventViewer.exe”, a legitimate Honeywell software used to view security alarms, it\r\nappends itself to the executable but keeps the original name and the program functionality. Procedures used to\r\nexecute this vary in complexity among different families and variants of PE infectors. Table 2 presents a random\r\nsample of infected OT OEM binaries we uncovered.\r\nhttps://www.mandiant.com/resources/pe-file-infecting-malware-ot\r\nPage 3 of 8\n\nTable 2: Sample of infected OT OEM binaries\r\nPE infected malware introduced in OT environments can propagate quickly where protection levels are consistent\r\nthroughout systems and networks. For example, if the initial infection vector is through portable media due to a\r\nlack of implementation of scanning and sanitization controls, then asset owners will likely see infections across\r\nsystems where portable media is shared.\r\nDifferent PE Infectors Vary in Capabilities\r\nThere are multiple types of PE infectors with various capabilities. Our analysis of a subset of identified malicious\r\nfiles indicates the following functions are common across most families:\r\nCommand and Control (C2)\r\nProvides threat actors with the ability to issue commands, download additional malicious resources,\r\nand exfiltrate data from infected systems\r\nPeer-to-Peer (P2P) Botnet Communication\r\nAbility to send/receive C2 domains/Ips via infected peers\r\nAnti-Debugging/Anti-VM\r\nPayload encryption to obscure analysis and detection\r\nSystem Modification\r\nPrimarily used to propagate across the system, inject malicious code into processes, alter files across\r\nthe system, create/delete files, disable security functions, and provide persistence\r\nhttps://www.mandiant.com/resources/pe-file-infecting-malware-ot\r\nPage 4 of 8\n\nTable 3 includes a subset of the most observed PE infecting malware families we identified in OT files. Variants\r\nmay include functionality not mentioned and payloads modified by threat actors.\r\nTable 3: Examples of PE infecting malware families\r\nPE Infector Outbreaks Can Have Serious Implications for OT Systems\r\nWhile largely common in IT networks, PE infector outbreaks may have serious implications for OT systems and\r\nnetworks. When PE infectors are not detected and remediated in a timely manner, they can rapidly spread across\r\nhttps://www.mandiant.com/resources/pe-file-infecting-malware-ot\r\nPage 5 of 8\n\nnetworks. Widespread infections introduce unexpected conditions to systems and networks where performance\r\nand stability are crucial for their intended functions.\r\nAt the network level, systems impacted by PE infecting malware can egress large amounts of erroneous\r\ntraffic associated with capabilities of the malware, such as C2 beaconing, P2P botnet communication, and\r\nfile share enumeration. PE infectors may also result in adverse impacts on performance of older\r\nnetworking equipment, which is commonly benchmarked with expected normal conditions through factory\r\nacceptance testing (FAT) and site acceptance testing (SAT) by the OEM.\r\nAt the host level, PE infecting malware can cause performance issues for assets. The methods used by the\r\nPE infectors to propagate and persist can cause spikes in resource utilization, such as disk I/O, memory,\r\nand CPU performance.\r\nThis can impact legacy systems with limited resources and assets with specific functions such as\r\nhistorians, where disk and memory I/O performance is critical.\r\nBinaries used by the OS and OEM software can also become corrupted or degraded as the malware\r\npropagates and alters files across the system.\r\nWhile in most cases, PE infecting malware in OT environments can be considered a nuisance, it highlights the\r\nexistence of weaknesses that threat actors can take advantage of. Our observations of OT related software\r\nexecutables impacted by PE infecting malware imply that OT systems and networks can be compromised with\r\noverly simplistic tactics.\r\nAlthough the PE infecting malware families we observed were not likely targeting OT systems or networks, more\r\ncomplex malware with similar PE infecting capabilities may be just as effective at penetrating the OT perimeter.\r\nOne example is the case of LOCKLOAD (aka FREELOADER), a malware family with PE infecting capability\r\nwhich we have observed being used to operate and collect information from air-gapped systems. In addition to its\r\nPE infecting ability, LOCKLOAD can exfiltrate stolen files off a victim's system, execute propagate commands\r\nand collect files from infected offline systems. It also propagates to offline systems when opening files from\r\ncompromised USB drives.\r\nPrevention, Detection, and Remediation for PE Infectors in OT Environments\r\nMandiant provides the following recommendations for prevention, detection, and remediation of PE infectors in\r\nOT environments. For support reach out to Mandiant OT Consulting.\r\nPrevention\r\nDefenders should prioritize prevention for PE infecting malware to decrease the risk of infections spreading to\r\ncritical assets.\r\nPerform periodic backups for critical assets and ensure backups are tested. The backups should be stored\r\noffline and periodically tested.\r\nDevelop policies and procedures for identifying, controlling, and authorizing use of portable media such as\r\nlaptops, USB, and CDs:\r\nSanitize or scan portable media with up-to-date anti-virus using a heuristics-based engine prior to\r\nconnecting to OT assets.\r\nhttps://www.mandiant.com/resources/pe-file-infecting-malware-ot\r\nPage 6 of 8\n\nEvaluate portable media and data entering the OT environment from untrusted sources and have\r\nexternal parties use controlled and authorized portable media.\r\nEnsure OT assets do not have direct network access or mapped network shares to IT assets unless\r\nabsolutely required. Properly segment or airgap critical safety assets from larger networks and monitor\r\nnetwork traffic for anomalies to and from these assets.\r\nMonitor vendors' and contractors' use of OT systems, including for example portable media, or work\r\norders.\r\nWhere feasible:\r\nDisable USB ports for devices where their use is not needed and, if possible, utilize port-blockers.\r\nInstall application whitelisting on OT assets or portable media used with OT assets (e.g.,\r\nmaintenance laptops and test equipment).\r\nImplement device control on OT assets to ensure only approved portable media is used.\r\nDetection\r\nPE infecting malware and files affected by PE infectors often have high detection rates by anti-virus engines.\r\nHowever, OT systems may be unable to use anti-virus or endpoint protection because of constraints such as\r\nservice-level agreements (SLA). Defenders should prioritize detection of this threat prior to entering the OT\r\nenvironment. This can be achieved by scanning devices and data brought into the OT environment with updated\r\nanti-virus or sanitizing it prior to use.\r\nDetecting the presence of PE infecting malware can be difficult on assets where traditional anti-virus or endpoint\r\nprotection is not used. This is because the infected PE files may have the ability to run the legitimate code even\r\nafter being infected, leaving very few user-observable indicators. We suggest defenders review network traffic to\r\nand from systems that could be used to support C2 capabilities (e.g., systems at Purdue level 2 and 3). Identifying\r\nsuspicious beaconing or C2 activity from these assets can also help in identifying infected system in the\r\nenvironment.\r\nRemediation\r\nRemediating an infection caused by PE infecting malware can be complicated due to the self-replicating nature\r\nand methods used to propagate and persist throughout a system. Deleting infected files is not recommended as this\r\ncan cause loss of important files used by the OS or OT applications. Mandiant recommends reverting to known\r\ngood backups for remediating infected assets. However, reversion to backups requires consideration of the\r\nfollowing factors:\r\nIs there a backup available for the affected asset(s)?\r\nWere there any changes made to the asset (e.g., configuration, project files, setpoint, tags, etc.) since the\r\nlast backup was captured?\r\nWhat was the infection vector?\r\nPosted in\r\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nhttps://www.mandiant.com/resources/pe-file-infecting-malware-ot\r\nPage 7 of 8\n\nSource: https://www.mandiant.com/resources/pe-file-infecting-malware-ot\r\nhttps://www.mandiant.com/resources/pe-file-infecting-malware-ot\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.mandiant.com/resources/pe-file-infecting-malware-ot"
	],
	"report_names": [
		"pe-file-infecting-malware-ot"
	],
	"threat_actors": [],
	"ts_created_at": 1775434233,
	"ts_updated_at": 1775826704,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ff4fdc6922f9040689c5b2027c383f74305b05e4.pdf",
		"text": "https://archive.orkl.eu/ff4fdc6922f9040689c5b2027c383f74305b05e4.txt",
		"img": "https://archive.orkl.eu/ff4fdc6922f9040689c5b2027c383f74305b05e4.jpg"
	}
}