In the figure above, an attacker group, “APT 42”, possesses a “private” code. Once used in several malware and campaigns, it is very difficult to trace back to this common code. Thanks to our technology, we transform the different malwares exploited by this group into “Concept Code”, and since their own characteristics are independent of the toolschains and architectures used, we are able to identify the presence of common code between these two branches and to affirm that the attacker necessarily possesses a common source code used to produce them: the two subfamilies then necessarily come from the same entity! Of course, before, we have removed any concept code associated with public source code (runtimes, open-source codes…) that can be found in many malwares.