Masquerading: Match Legitimate Resource Name or Location

Adversaries may match or approximate the name or location of legitimate files, Registry keys, or other resources when naming/placing them. This is done for the sake of evading defenses and observation.

This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: svchost.exe). Alternatively, a Windows Registry key may be given a close approximation to a key used by a legitimate program. In containerized environments, a threat actor may create a resource in a trusted namespace or one that matches the naming convention of a container pod or cluster.[1]

ID: T1036.005
Sub-technique of:  T1036
Tactic: Defense Evasion
Platforms: Containers, ESXi, Linux, Windows, macOS
Contributors: Vishwas Manral, McAfee; Yossi Weizman, Azure Defender Research Team
Version: 2.0
Created: 10 February 2020
Last Modified: 15 April 2025

Procedure Examples

ID Name Description
C0025 2016 Ukraine Electric Power Attack

During the 2016 Ukraine Electric Power Attack, DLLs and EXEs with filenames associated with common electric power sector protocols were used to masquerade files.[2]

G0018 admin@338

admin@338 actors used the following command to rename one of their tools to a benign file name: ren "%temp%\upload" audiodg.exe[3]

G1024 Akira

Akira has used legitimate names and locations for files to evade defenses.[4]

S1074 ANDROMEDA

ANDROMEDA has been installed to C:\Temp\TrustedInstaller.exe to mimic a legitimate Windows installer service.[5]

S0622 AppleSeed

AppleSeed has the ability to rename its payload to ESTCommon.dll to masquerade as a DLL belonging to ESTsecurity.[6]

G0006 APT1

The file name AcroRD32.exe, a legitimate process name for Adobe's Acrobat Reader, was used by APT1 as a name for malware.[7][8]

G0007 APT28

APT28 has changed extensions on files containing exfiltrated data to make them appear benign, and renamed a web shell instance to appear as a legitimate OWA page.[9]

G0016 APT29

APT29 has renamed malicious DLLs with legitimate names to appear benign; they have also created an Azure AD certificate with a Common Name that matched the display name of the compromised service principal.[10][11]

G0050 APT32

APT32 has renamed a NetCat binary to kb-10233.exe to masquerade as a Windows update. APT32 has also renamed a Cobalt Strike beacon payload to install_flashplayers.exe. [12][13]

G0087 APT39

APT39 has used malware disguised as Mozilla Firefox and a tool named mfevtpse.exe to proxy C2 communications, closely mimicking a legitimate McAfee file mfevtps.exe.[14][15]

G0096 APT41

APT41 attempted to masquerade their files as popular anti-virus software.[16][17]

G1044 APT42

APT42 has masqueraded the VINETHORN payload as a VPN application.[18]

G1023 APT5

APT5 has named exfiltration archives to mimic Windows Updates at times using filenames with a KB<digits>.zip pattern.[19]

G0143 Aquatic Panda

Aquatic Panda renamed or moved malicious binaries to legitimate locations to evade defenses and blend into victim environments.[20]

S0475 BackConfig

BackConfig has hidden malicious payloads in %USERPROFILE%\Adobe\Driver\dwg\ and mimicked the legitimate DHCP service binary.[21]

G0135 BackdoorDiplomacy

BackdoorDiplomacy has dropped implants in folders named for legitimate software.[22]

S0606 Bad Rabbit

Bad Rabbit has masqueraded as a Flash Player installer through the executable file install_flash_player.exe.[23][24]

S0128 BADNEWS

BADNEWS attempts to hide its payloads using legitimate filenames.[25]

S0534 Bazar

The Bazar loader has named malicious shortcuts "adobe" and mimicked communications software.[26][27][28]

S0268 Bisonal

Bisonal has renamed malicious code to msacm32.dll to hide within a legitimate library; earlier versions were disguised as winhelp.[29]

S1070 Black Basta

The Black Basta dropper has mimicked an application for creating USB bootable drivers.[30]

S0520 BLINDINGCAN

BLINDINGCAN has attempted to hide its payload by using legitimate file names such as "iconcache.db".[31]

G0108 Blue Mockingbird

Blue Mockingbird has masqueraded their XMRIG payload name by naming it wercplsupporte.dll after the legitimate wercplsupport.dll file.[32]

G0060 BRONZE BUTLER

BRONZE BUTLER has given malware the same name as an existing file on the file share server to cause users to unwittingly launch and install the malware on additional systems.[33]

S1063 Brute Ratel C4

Brute Ratel C4 has used a payload file named OneDrive.update to appear benign.[34]

S1039 Bumblebee

Bumblebee has named component DLLs "RapportGP.dll" to match those used by the security company Trusteer.[35]

S0482 Bundlore

Bundlore has disguised a malicious .app file as a Flash Player update.[36]

C0017 C0017

During C0017, APT41 used file names beginning with USERS, SYSUSER, and SYSLOG for DEADEYE, and changed KEYPLUG file extensions from .vmp to .upx likely to avoid hunting detections.[37]

C0018 C0018

For C0018, the threat actors renamed a Sliver payload to vmware_kb.exe.[38]

C0032 C0032

During the C0032 campaign, TEMP.Veles renamed files to look like legitimate files, such as Windows update files or Schneider Electric application files.[39]

S0274 Calisto

Calisto's installation file is an unsigned DMG image under the guise of Intego’s security solution for mac.[40]

G0008 Carbanak

Carbanak has named malware "svchost.exe," which is the name of the Windows shared service host program.[41]

S0484 Carberp

Carberp has masqueraded as Windows system file names, as well as "chkntfs.exe" and "syscron.exe".[42][43]

S0631 Chaes

Chaes has used an unsigned, crafted DLL module named hha.dll that was designed to look like a legitimate 32-bit Windows DLL.[44]

S0144 ChChes

ChChes copies itself to an .exe file with a filename that is likely intended to imitate Norton Antivirus but has several letters reversed (e.g. notron.exe).[45]

G0114 Chimera

Chimera has renamed malware to GoogleUpdate.exe and WinRAR to jucheck.exe, RecordedTV.ms, teredo.tmp, update.exe, and msadcs1.exe.[46]

S1041 Chinoxy

Chinoxy has used the name eoffice.exe in attempt to appear as a legitimate file.[47]

S0625 Cuba

Cuba has been disguised as legitimate 360 Total Security Antivirus and OpenVPN programs.[48]

S1153 Cuckoo Stealer

Cuckoo Stealer has copied and renamed itself to DumpMediaSpotifyMusicConverter.[49][50]

S0687 Cyclops Blink

Cyclops Blink can rename its running process to [kworker:0/1] to masquerade as a Linux kernel thread. Cyclops Blink has also named RC scripts used for persistence after WatchGuard artifacts.[51]

S1014 DanBot

DanBot files have been named UltraVNC.exe and WINVNC.exe to appear as legitimate VNC tools.[52]

S0334 DarkComet

DarkComet has dropped itself onto victim machines with file names such as WinDefender.Exe and winupdate.exe in an apparent attempt to masquerade as a legitimate file.[53]

G0012 Darkhotel

Darkhotel has used malware that is disguised as a Secure Shell (SSH) tool.[54]

S0187 Daserf

Daserf uses file and folder names related to legitimate programs in order to blend in, such as HP, Intel, Adobe, and perflogs.[55]

S0600 Doki

Doki has disguised a file as a Linux kernel module.[56]

S0694 DRATzarus

DRATzarus has been named Flash.exe, and its dropper has been named IExplorer.[57]

S0567 Dtrack

One of Dtrack can hide in replicas of legitimate programs like OllyDbg, 7-Zip, and FileZilla.[58]

S1158 DUSTPAN

DUSTPAN is often disguised as a legitimate Windows binary such as w3wp.exe or conn.exe.[59]

G1006 Earth Lusca

Earth Lusca used the command move [file path] c:\windows\system32\spool\prtprocs\x64\spool.dll to move and register a malicious DLL name as a Windows print processor, which eventually was loaded by the Print Spooler service.[60]

S0605 EKANS

EKANS has been disguised as update.exe to appear as a valid executable.[61]

S0081 Elise

If installing itself as a service fails, Elise instead writes itself as a file named svchost.exe saved in %APPDATA%\Microsoft\Network.[62]

G1003 Ember Bear

Ember Bear has renamed tools to match legitimate utilities, such as renaming GOST tunneling instances to java in victim environments.[63]

S0171 Felismus

Felismus has masqueraded as legitimate Adobe Content Management System files.[64]

G0137 Ferocious Kitten

Ferocious Kitten has named malicious files update.exe and loaded them into the compromise host's "Public" folder.[65]

G1016 FIN13

FIN13 has masqueraded WAR files to look like legitimate packages such as, wsexample.war, wsexamples.com, examples.war, and exampl3s.war.[66]

G0046 FIN7

FIN7 has attempted to run Darkside ransomware with the filename sleep.exe.[67]

S0182 FinFisher

FinFisher renames one of its .dll files to uxtheme.dll in an apparent attempt to masquerade as a legitimate file.[68][69]

S0661 FoggyWeb

FoggyWeb can be disguised as a Visual Studio file such as Windows.Data.TimeZones.zh-PH.pri to evade detection. Also, FoggyWeb's loader can mimic a genuine dll file that carries out the same import functions as the legitimate Windows version.dll file.[70]

G0117 Fox Kitten

Fox Kitten has named binaries and configuration files svhost and dllhost respectively to appear legitimate.[71]

S0410 Fysbis

Fysbis has masqueraded as trusted software rsyncd and dbus-inotifier.[72]

G0047 Gamaredon Group

Gamaredon Group has used legitimate process names to hide malware including svchosst.[73]

S0666 Gelsemium

Gelsemium has named malicious binaries serv.exe, winprint.dll, and chrome_elf.dll and has set its persistence in the Registry with the key value Chrome Update to appear legitimate.[74]

S1197 GoBear

GoBear is installed through droppers masquerading as legitimate, signed software installers.[75]

S0493 GoldenSpy

GoldenSpy's setup file installs initial executables under the folder %WinDir%\System32\PluginManager.[76]

S0588 GoldMax

GoldMax has used filenames that matched the system name, and appeared as a scheduled task impersonating systems management software within the corresponding ProgramData subfolder.[77][78]

S0477 Goopy

Goopy has impersonated the legitimate goopdate.dll, which was dropped on the target system with a legitimate GoogleUpdate.exe.[12]

S0531 Grandoreiro

Grandoreiro has named malicious browser extensions and update files to appear legitimate.[79][80]

S0690 Green Lambert

Green Lambert has been disguised as a Growl help file.[81][82]

S0697 HermeticWiper

HermeticWiper has used the name postgressql.exe to mask a malicious payload.[83]

S0698 HermeticWizard

HermeticWizard has been named exec_32.dll to mimic a legitimate MS Outlook .dll.[83]

C0038 HomeLand Justice

During HomeLand Justice, threat actors renamed ROADSWEEP to GoXML.exe and ZeroCleare to cl.exe.[84][85]

S0070 HTTPBrowser

HTTPBrowser's installer contains a malicious file named navlu.dll to decrypt and run the RAT. navlu.dll is also the name of a legitimate Symantec DLL.[86]

S1022 IceApple

IceApple .NET assemblies have used App_Web_ in their file names to appear legitimate.[87]

S0483 IcedID

IcedID has modified legitimate .dll files to include malicious code.[88]

G1032 INC Ransom

INC Ransom has named a PsExec executable winupd to mimic a legitimate Windows update file.[89][90]

G0119 Indrik Spider

Indrik Spider used fake updates for FlashPlayer plugin and Google Chrome as initial infection vectors.[91]

S0259 InnaputRAT

InnaputRAT variants have attempted to appear legitimate by using the file names SafeApp.exe and NeutralApp.exe.[92]

S0260 InvisiMole

InvisiMole has disguised its droppers as legitimate software or documents, matching their original names and locations, and saved its files as mpr.dll in the Windows folder.[93][94]

S0015 Ixeshe

Ixeshe has used registry values and file names associated with Adobe software, such as AcroRd32.exe.[95]

S1203 J-magic

J-magic can rename itself as "[nfsiod 0]" to masquerade as the local Network File System (NFS) asynchronous I/O server.[96]

C0050 J-magic Campaign

During the J-magic Campaign, threat actors used the name "JunoscriptService" to masquerade malware as the Junos automation scripting service.[96]

G0004 Ke3chang

Ke3chang has dropped their malware into legitimate installed software paths including: C:\ProgramFiles\Realtek\Audio\HDA\AERTSr.exe, C:\Program Files (x86)\Foxit Software\Foxit Reader\FoxitRdr64.exe, C:\Program Files (x86)\Adobe\Flash Player\AddIns\airappinstaller\airappinstall.exe, and C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd64.exe.[97]

S0526 KGH_SPY

KGH_SPY has masqueraded as a legitimate Windows tool.[98]

G0094 Kimsuky

Kimsuky has renamed malware to legitimate names such as ESTCommon.dll or patch.dll.[99]

S0669 KOCTOPUS

KOCTOPUS has been disguised as legitimate software programs associated with the travel and airline industries.[100]

S0356 KONNI

KONNI has created a shortcut called "Anti virus service.lnk" in an apparent attempt to masquerade as a legitimate file.[101]

S1160 Latrodectus

Latrodectus has been packed to appear as a component to Bitdefender’s kernel-mode driver, TRUFOS.SYS.[102]

G0032