T1036.005: T1036.005

Search IOCs, vulnerabilities, APT…

216.73.216.233

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 16/12/2025 19:37 · Modified 27/03/2026 01:08

Essential information

MITRE technique ID: T1036.005
Confidence: 100/100
Revoked: No
Published: 16/12/2025 19:37
Modified: 27/03/2026 01:08
Author / Source: The MITRE Corporation

Aliases

Match Legitimate Resource Name or Location

Platforms

windows macos linux Containers ESXi

Description

Adversaries may match or approximate the name or location of legitimate files, Registry keys, or other resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: `svchost.exe`). Alternatively, a Windows Registry key may be given a close approximation to a key used by a legitimate program. In containerized environments, a threat actor may create a resource in a trusted namespace or one that matches the naming convention of a container pod or cluster.(Citation: Aquasec Kubernetes Backdoor 2023)

Kill chain phases

Kill chain	Phase
mitre-attack	defense-evasion

Marking (TLP)

External references

Docker Images
Twitter ItsReallyNick Masquerading Update
mitre-attack (T1036.005)
Elastic Masquerade Ball
Aquasec Kubernetes Backdoor 2023

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (70)

UAC-0125 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Silence uses Whisper Spider

The MITRE Corporation Confidence 100

[Silence](https://attack.mitre.org/groups/G0091) is a financially motivated threat actor targeting financial institutions in different countries. The group was first seen in June 2016. Their main targets reside in Russia, Ukraine,…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Rocke uses

The MITRE Corporation Confidence 100

[Rocke](https://attack.mitre.org/groups/G0106) is an alleged Chinese-speaking adversary whose primary objective appeared to be cryptojacking, or stealing victim system resources for the purposes of mining cryptocurrency. The name [Rocke](https://attack.mitre.org/groups/G0106) comes…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Ke3chang uses APT15Mirage

The MITRE Corporation Confidence 100

[Ke3chang](https://attack.mitre.org/groups/G0004) is a threat group attributed to actors operating out of China. [Ke3chang](https://attack.mitre.org/groups/G0004) has targeted oil, government, diplomatic, military, and NGOs in Central and South America, the Caribbean,…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Tadashi uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
DragonBreath uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Mustard Tempest uses DEV-0206GOLD PRELUDE

The MITRE Corporation Confidence 100

[Mustard Tempest](https://attack.mitre.org/groups/G1020) is an initial access broker that has operated the [SocGholish](https://attack.mitre.org/software/S1124) distribution network since at least 2017. [Mustard Tempest](https://attack.mitre.org/groups/G1020) has partnered with [Indrik Spider](https://attack.mitre.org/groups/G0119) to provide access…

First seen 01/01/1970 · Last seen 16/11/5138 ·
alh1mik uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
VasyGrek uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
The Gentlemen uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
INC Ransom uses GOLD IONIC

The MITRE Corporation Confidence 100

[INC Ransom](https://attack.mitre.org/groups/G1032) is a ransomware and data extortion threat group associated with the deployment of [INC Ransomware](https://attack.mitre.org/software/S1139) that has been active since at least July 2023. [INC Ransom](https://attack.mitre.org/groups/G1032)…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Whitefly uses

The MITRE Corporation Confidence 100

[Whitefly](https://attack.mitre.org/groups/G0107) is a cyber espionage group that has been operating since at least 2017. The group has targeted organizations based mostly in Singapore across a wide variety of…

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 6

1–12 of 70

NOKKI uses
Mekotio uses

Family
Java RAT uses

Family
ValleyRAT uses

Family
RustyWater uses

Family
Calisto uses
KaynLdr uses

Family
QUADAGENT uses
Penguish uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
WAVESHAPER uses
Havoc uses

Family
PureLog Stealer uses

Family

← Previous

Page / 11

1–12 of 126

ClickFix campaign delivers macOS infostealer via DMG related

AlienVault Confidence 100 10 MITREs 4 Malwares 10 IOCs 4 Observables
Artifact scanner detects npm package 'node-fetch-utils' using external … related

AlienVault Confidence 100 13 MITREs 2 Malwares 2 IOCs 1 Observable
3CXDesktopApp Intrusion Campaign Prevention related

AlienVault Confidence 100 20 MITREs 2 Malwares 29 IOCs 20 Observables 1 APT
Threat Actors Abuse claude.ai Shared Chat for ClickFix … related

AlienVault Confidence 100 19 MITREs 1 Malware 21 IOCs 21 Observables
From package to postinstall payload: Inside the Mastra … related

AlienVault Confidence 100 21 MITREs 1 Malware 6 IOCs 1 Observable
Potemkin Loader & RMMProject The Anatomy of a … related

AlienVault Confidence 100 19 MITREs 4 Malwares 22 IOCs 22 Observables
Investigation of email-based attack delivering MediaFire ZIP file … related

AlienVault Confidence 100 14 MITREs 1 Malware 4 IOCs 4 Observables
WebAssembly Malware Found in Trojanized Open VSX Extensions related

AlienVault Confidence 100 17 MITREs 1 Malware 12 IOCs 12 Observables 1 APT
How 23 Browser Extensions Silently Monetize ~758,000 Users' … related

AlienVault Confidence 100 19 MITREs 29 IOCs 29 Observables
The Package That Never Shipped: Following a USPS … related

AlienVault Confidence 100 21 MITREs 8 IOCs 8 Observables
Targets Education Sector with Oracle PeopleSoft Exploit related

AlienVault Confidence 100 1 CVE 20 MITREs 1 Malware 8 IOCs 8 Observables 1 APT
World Cup 2026 Mobile Targeted Phishing: The Global … related

AlienVault Confidence 100 28 MITREs 5 IOCs 5 Observables

← Previous

Page / 5

1–12 of 50

Vulnerabilities (CVE) (35)

CVE-2017-9248 KEV targets

9.8 Critical

Progress Telerik UI for ASP.NET AJAX and Sitefinity have a cryptographic weakness in Telerik.Web.UI.dll that can be exploited to disclose encryption keys …

Attack vector: NETWORK
Complexity: LOW
Published: 03/07/2017
Modified: 22/04/2026

CWE-522

CVE-2026-35273 KEV targets

9.8 Critical

Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Updates Environment Management). Supported versions that are affected are 8.61 and …

Attack vector: NETWORK
Complexity: LOW
Published: 11/06/2026
Modified: 12/06/2026

CWE-306 Analyzed

CVE-2026-5426 targets

9.1 Critical

Hard-coded ASP.NET/IIS machineKey value in Digital Knowledge KnowledgeDeliver deployments prior to February 24, 2026 allows adversaries to circumvent ViewState validation mechanisms and …

Attack vector: Network
Complexity: Low
EPSS: 0.0005 (P15.4%)
Published: 16/04/2026
Modified: 26/05/2026

CWE-321 Awaiting Analysis

CVE-2025-30406 targets

Gladinet CentreStack through 16.1.10296.56315 (fixed in 16.4.10315.56368) has a deserialization vulnerability due to the CentreStack portal's hardcoded machineKey use, which enables threat …

Published: 03/04/2025
Modified: 03/04/2025

Received

CVE-2017-11882 KEV targets

7.8 High

Microsoft Office contains a memory corruption vulnerability that allows remote code execution in the context of the current user.

Attack vector: Local
Complexity: Low
Published: 15/11/2017
Modified: 29/05/2026

CWE-119

CVE-2025-20337 KEV targets

10.0 Critical

A vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to execute arbitrary code …

Attack vector: Network
Published: 28/07/2025
Modified: 21/12/2025

Analyzed

CVE-2025-64328 KEV targets

8.6 High

FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. In versions 17.0.2.36 and above before 17.0.3, the filestore …

Attack vector: Network
Complexity: Low
Published: 07/11/2025
Modified: 18/06/2026

CWE-78 Awaiting Analysis

CVE-2026-21509 KEV targets

7.8 High

Microsoft Office contains a security feature bypass vulnerability in which reliance on untrusted inputs in a security decision in Microsoft Office could …

Attack vector: LOCAL
Published: 26/01/2026
Modified: 27/03/2026

Analyzed

CVE-2023-21839 KEV targets

7.5 High

Oracle WebLogic Server contains an unspecified vulnerability that allows an unauthenticated attacker with network access via T3, IIOP, to compromise Oracle WebLogic …

Attack vector: Network
Published: 01/05/2023
Modified: 21/12/2025

CVE-2017-11317

targets

CVE-2017-0144 KEV targets

8.8 High

The SMBv1 server in multiple Microsoft Windows versions allows remote attackers to execute arbitrary code via crafted packets.

Attack vector: NETWORK
Complexity: LOW
Published: 17/03/2017
Modified: 22/04/2026

CVE-2019-18935 KEV targets

Progress Telerik UI for ASP.NET AJAX contains a deserialization of untrusted data vulnerability through RadAsyncUpload which leads to code execution on the …

Published: 03/11/2021
Modified: 20/12/2025

← Previous

Page / 3

1–12 of 35

T1036 subtechnique-of

Masquerading MITRE

Tool (1)

Brute Ratel C4 uses

The MITRE Corporation Confidence 100

[Brute Ratel C4](https://attack.mitre.org/software/S1063) is a commercial red-teaming and adversarial attack simulation tool that first appeared in December 2020. [Brute Ratel C4](https://attack.mitre.org/software/S1063) was specifically designed to avoid detection by…

Campaign (6)

RedPenguin uses
C0032 uses
SolarWinds Compromise uses
HomeLand Justice uses
Operation Wocao uses
Triton Safety Instrumented System Attack uses

Course Of Action (1)

Code Signing mitigates

Contact About Legal notice Privacy policy Terms of use