T1036.005: T1036.005

Search IOCs, vulnerabilities, APT…

216.73.216.6

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 10/02/2020 21:43 · Modified 27/03/2026 01:08

Essential information

MITRE technique ID: T1036.005
Confidence: 100/100
Revoked: No
Published: 10/02/2020 21:43
Modified: 27/03/2026 01:08
Author / Source: The MITRE Corporation

Aliases

Match Legitimate Resource Name or Location

Platforms

windows macos linux Containers ESXi

Description

Adversaries may match or approximate the name or location of legitimate files, Registry keys, or other resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: `svchost.exe`). Alternatively, a Windows Registry key may be given a close approximation to a key used by a legitimate program. In containerized environments, a threat actor may create a resource in a trusted namespace or one that matches the naming convention of a container pod or cluster.(Citation: Aquasec Kubernetes Backdoor 2023)

Kill chain phases

Kill chain	Phase
mitre-attack	defense-evasion

Marking (TLP)

External references

Docker Images
Twitter ItsReallyNick Masquerading Update
mitre-attack (T1036.005)
Elastic Masquerade Ball
Aquasec Kubernetes Backdoor 2023

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (66)

APT-C-36 related Blind Eagle

The MITRE Corporation Confidence 100

[APT-C-36](https://attack.mitre.org/groups/G0099) is a suspected South America espionage group that has been active since at least 2018. The group mainly targets Colombian government institutions as well as important corporations…

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT1 related Comment CrewComment Group

The MITRE Corporation Confidence 100

[APT1](https://attack.mitre.org/groups/G0006) is a Chinese threat group that has been attributed to the 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department, commonly known…

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT32 related SeaLotusAPT-C-00

The MITRE Corporation Confidence 100

[APT32](https://attack.mitre.org/groups/G0050) is a suspected Vietnam-based threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as foreign governments,…

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT37 related InkySquidGroup123

The MITRE Corporation Confidence 100

[APT37](https://attack.mitre.org/groups/G0067) is a North Korean state-sponsored cyber espionage group that has been active since at least 2012. The group has targeted victims primarily in South Korea, but also…

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT39 related ITG07Chafer

The MITRE Corporation Confidence 100

[APT39](https://attack.mitre.org/groups/G0087) is one of several names for cyber espionage activity conducted by the Iranian Ministry of Intelligence and Security (MOIS) through the front company Rana Intelligence Computing since…

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT41 related Wicked PandaBrass Typhoon

The MITRE Corporation Confidence 100

[APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed…

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT42 related

The MITRE Corporation Confidence 100

[APT42](https://attack.mitre.org/groups/G1044) is an Iranian-sponsored threat group that conducts cyber espionage and surveillance.(Citation: Mandiant APT42-charms) The group primarily focuses on targets in the Middle East region, but has targeted…

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT5 related Mulberry TyphoonMANGANESE

The MITRE Corporation Confidence 100

[APT5](https://attack.mitre.org/groups/G1023) is a China-based espionage actor that has been active since at least 2007 primarily targeting the telecommunications, aerospace, and defense industries throughout the U.S., Europe, and Asia.…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Aquatic Panda related

The MITRE Corporation Confidence 100

[Aquatic Panda](https://attack.mitre.org/groups/G0143) is a suspected China-based threat group with a dual mission of intelligence collection and industrial espionage. Active since at least May 2020, [Aquatic Panda](https://attack.mitre.org/groups/G0143) has primarily…

First seen 01/01/1970 · Last seen 16/11/5138 ·
BRONZE BUTLER related REDBALDKNIGHTTick

The MITRE Corporation Confidence 100

[BRONZE BUTLER](https://attack.mitre.org/groups/G0060) is a cyber espionage group with likely Chinese origins that has been active since at least 2008. The group primarily targets Japanese organizations, particularly those in…

First seen 01/01/1970 · Last seen 16/11/5138 ·
BackdoorDiplomacy related

The MITRE Corporation Confidence 100

[BackdoorDiplomacy](https://attack.mitre.org/groups/G0135) is a cyber espionage threat group that has been active since at least 2017. [BackdoorDiplomacy](https://attack.mitre.org/groups/G0135) has targeted Ministries of Foreign Affairs and telecommunication companies in Africa, Europe,…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Black Basta related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 6

25–36 of 66

NOKKI uses
Mekotio uses

Family
Java RAT uses

Family
ValleyRAT uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
RustyWater uses

Family
Calisto uses
KaynLdr uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
QUADAGENT uses
Penguish uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
WAVESHAPER uses
Havoc uses

The MITRE Corporation Confidence 100

[Havoc](https://attack.mitre.org/software/S1229) is an open-source post-exploitation command and control (C2) framework first released on GitHub in October 2022 by C5pider (Paul Ungur), who continues to maintain and develop it…

First seen 01/01/1970 · Last seen 16/11/5138 ·
PureLog Stealer uses

Family

← Previous

Page / 7

1–12 of 73

CL-STA-1062 Targets Southeast Asian Governments and Critical Infrastructure related

AlienVault Confidence 100 19 MITREs 3 Malwares 6 IOCs 1 APT
Millenium: A RAT Rewritten, A Threat Multiplied related

AlienVault Confidence 100 21 MITREs 5 Malwares 60 IOCs 21 Observables 1 APT
ClickFix campaign delivers macOS infostealer via DMG related

AlienVault Confidence 100 10 MITREs 4 Malwares 10 IOCs 4 Observables
macOS.Gaslight | Rust Backdoor Turns Prompt Injection on … related

AlienVault Confidence 100 19 MITREs 3 Malwares 4 IOCs 1 APT
Artifact scanner detects npm package 'node-fetch-utils' using external … related

AlienVault Confidence 100 13 MITREs 2 Malwares 2 IOCs 1 Observable
3CXDesktopApp Intrusion Campaign Prevention related

AlienVault Confidence 100 20 MITREs 2 Malwares 29 IOCs 20 Observables 1 APT
Threat Actors Abuse claude.ai Shared Chat for ClickFix … related

AlienVault Confidence 100 19 MITREs 1 Malware 21 IOCs 21 Observables
From package to postinstall payload: Inside the Mastra … related

AlienVault Confidence 100 21 MITREs 1 Malware 6 IOCs 1 Observable
Potemkin Loader & RMMProject The Anatomy of a … related

AlienVault Confidence 100 19 MITREs 4 Malwares 22 IOCs 22 Observables
Investigation of email-based attack delivering MediaFire ZIP file … related

AlienVault Confidence 100 14 MITREs 1 Malware 4 IOCs 4 Observables
WebAssembly Malware Found in Trojanized Open VSX Extensions related

AlienVault Confidence 100 17 MITREs 1 Malware 12 IOCs 12 Observables 1 APT
How 23 Browser Extensions Silently Monetize ~758,000 Users' … related

AlienVault Confidence 100 19 MITREs 29 IOCs 29 Observables

← Previous

Page / 5

1–12 of 50

Vulnerabilities (CVE) (35)

CVE-2017-9248 KEV targets

9.8 Critical

Progress Telerik UI for ASP.NET AJAX and Sitefinity have a cryptographic weakness in Telerik.Web.UI.dll that can be exploited to disclose encryption keys …

Attack vector: NETWORK
Complexity: LOW
Published: 03/07/2017
Modified: 22/04/2026

CWE-522

CVE-2026-35273 KEV targets

9.8 Critical

Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Updates Environment Management). Supported versions that are affected are 8.61 and …

Attack vector: NETWORK
Complexity: LOW
Published: 11/06/2026
Modified: 12/06/2026

CWE-306 Analyzed

CVE-2026-5426 targets

9.1 Critical

Hard-coded ASP.NET/IIS machineKey value in Digital Knowledge KnowledgeDeliver deployments prior to February 24, 2026 allows adversaries to circumvent ViewState validation mechanisms and …

Attack vector: Network
Complexity: Low
EPSS: 0.0005 (P15.4%)
Published: 16/04/2026
Modified: 26/05/2026

CWE-321 Awaiting Analysis

CVE-2025-30406 KEV targets

9.0 Critical

Gladinet CentreStack through 16.1.10296.56315 (fixed in 16.4.10315.56368) has a deserialization vulnerability due to the CentreStack portal's hardcoded machineKey use, which enables threat …

Attack vector: Network
Published: 08/04/2025
Modified: 21/12/2025

Received

CVE-2017-11882 KEV targets

7.8 High

Microsoft Office contains a memory corruption vulnerability that allows remote code execution in the context of the current user.

Attack vector: Local
Complexity: Low
Published: 15/11/2017
Modified: 29/05/2026

CWE-119

CVE-2025-20337 KEV targets

10.0 Critical

A vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to execute arbitrary code …

Attack vector: Network
Published: 28/07/2025
Modified: 21/12/2025

Analyzed

CVE-2025-64328 KEV targets

8.6 High

FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. In versions 17.0.2.36 and above before 17.0.3, the filestore …

Attack vector: Network
Complexity: Low
Published: 07/11/2025
Modified: 18/06/2026

CWE-78 Awaiting Analysis

CVE-2026-21509 KEV targets

7.8 High

Microsoft Office contains a security feature bypass vulnerability in which reliance on untrusted inputs in a security decision in Microsoft Office could …

Attack vector: LOCAL
Published: 26/01/2026
Modified: 27/03/2026

Analyzed

CVE-2023-21839 KEV targets

7.5 High

Oracle WebLogic Server contains an unspecified vulnerability that allows an unauthenticated attacker with network access via T3, IIOP, to compromise Oracle WebLogic …

Attack vector: Network
Published: 01/05/2023
Modified: 21/12/2025

CVE-2017-11317

targets

CVE-2017-0144 KEV targets

8.8 High

The SMBv1 server in multiple Microsoft Windows versions allows remote attackers to execute arbitrary code via crafted packets.

Attack vector: NETWORK
Complexity: LOW
Published: 17/03/2017
Modified: 22/04/2026

CVE-2019-18935 KEV targets

Progress Telerik UI for ASP.NET AJAX contains a deserialization of untrusted data vulnerability through RadAsyncUpload which leads to code execution on the …

Published: 03/11/2021
Modified: 20/12/2025

← Previous

Page / 3

1–12 of 35

T1036 subtechnique-of

Masquerading MITRE

Tool (1)

Brute Ratel C4 uses

The MITRE Corporation Confidence 100

[Brute Ratel C4](https://attack.mitre.org/software/S1063) is a commercial red-teaming and adversarial attack simulation tool that first appeared in December 2020. [Brute Ratel C4](https://attack.mitre.org/software/S1063) was specifically designed to avoid detection by…

Campaign (4)

RedPenguin uses
C0032 uses
SolarWinds Compromise uses
HomeLand Justice uses

Contact About Legal notice Privacy policy Terms of use