T1036.005: T1036.005

Search IOCs, vulnerabilities, APT…

216.73.216.6

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 10/02/2020 21:43 · Modified 27/03/2026 01:08

Essential information

MITRE technique ID: T1036.005
Confidence: 100/100
Revoked: No
Published: 10/02/2020 21:43
Modified: 27/03/2026 01:08
Author / Source: The MITRE Corporation

Aliases

Match Legitimate Resource Name or Location

Platforms

windows macos linux Containers ESXi

Description

Adversaries may match or approximate the name or location of legitimate files, Registry keys, or other resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: `svchost.exe`). Alternatively, a Windows Registry key may be given a close approximation to a key used by a legitimate program. In containerized environments, a threat actor may create a resource in a trusted namespace or one that matches the naming convention of a container pod or cluster.(Citation: Aquasec Kubernetes Backdoor 2023)

Kill chain phases

Kill chain	Phase
mitre-attack	defense-evasion

Marking (TLP)

External references

Docker Images
Twitter ItsReallyNick Masquerading Update
mitre-attack (T1036.005)
Elastic Masquerade Ball
Aquasec Kubernetes Backdoor 2023

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (66)

Blue Mockingbird related

The MITRE Corporation Confidence 100

[Blue Mockingbird](https://attack.mitre.org/groups/G0108) is a cluster of observed activity involving Monero cryptocurrency-mining payloads in dynamic-link library (DLL) form on Windows systems. The earliest observed Blue Mockingbird tools were created…

First seen 01/01/1970 · Last seen 16/11/5138 ·
BlueBravo related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
CL-CRI-1014 related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
CL-STA-1009 related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
CL-STA-1062 related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
CharmingCypress related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Chimera related

The MITRE Corporation Confidence 100

[Chimera](https://attack.mitre.org/groups/G0114) is a suspected China-based threat group that has been active since at least 2018 targeting the semiconductor industry in Taiwan as well as data from the airline…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Chinese APT (possibly APT41 subgroup) related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
ClickFix related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Contagious Interview related Gwisin GangTAG-121

The MITRE Corporation Confidence 100

[Contagious Interview](https://attack.mitre.org/groups/G1052) is a North Korea–aligned threat group active since 2023. The group conducts both cyberespionage and financially motivated operations, including the theft of cryptocurrency and user credentials.…

First seen 01/01/1970 · Last seen 16/11/5138 ·
DPRK related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
DPRK (North Korea) related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 6

37–48 of 66

NOKKI uses
Mekotio uses

Family
Java RAT uses

Family
ValleyRAT uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
RustyWater uses

Family
Calisto uses
KaynLdr uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
QUADAGENT uses
Penguish uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
WAVESHAPER uses
Havoc uses

The MITRE Corporation Confidence 100

[Havoc](https://attack.mitre.org/software/S1229) is an open-source post-exploitation command and control (C2) framework first released on GitHub in October 2022 by C5pider (Paul Ungur), who continues to maintain and develop it…

First seen 01/01/1970 · Last seen 16/11/5138 ·
PureLog Stealer uses

Family

← Previous

Page / 7

1–12 of 73

CL-STA-1062 Targets Southeast Asian Governments and Critical Infrastructure related

AlienVault Confidence 100 19 MITREs 3 Malwares 6 IOCs 1 APT
Millenium: A RAT Rewritten, A Threat Multiplied related

AlienVault Confidence 100 21 MITREs 5 Malwares 60 IOCs 21 Observables 1 APT
ClickFix campaign delivers macOS infostealer via DMG related

AlienVault Confidence 100 10 MITREs 4 Malwares 10 IOCs 4 Observables
macOS.Gaslight | Rust Backdoor Turns Prompt Injection on … related

AlienVault Confidence 100 19 MITREs 3 Malwares 4 IOCs 1 APT
Artifact scanner detects npm package 'node-fetch-utils' using external … related

AlienVault Confidence 100 13 MITREs 2 Malwares 2 IOCs 1 Observable
3CXDesktopApp Intrusion Campaign Prevention related

AlienVault Confidence 100 20 MITREs 2 Malwares 29 IOCs 20 Observables 1 APT
Threat Actors Abuse claude.ai Shared Chat for ClickFix … related

AlienVault Confidence 100 19 MITREs 1 Malware 21 IOCs 21 Observables
From package to postinstall payload: Inside the Mastra … related

AlienVault Confidence 100 21 MITREs 1 Malware 6 IOCs 1 Observable
Potemkin Loader & RMMProject The Anatomy of a … related

AlienVault Confidence 100 19 MITREs 4 Malwares 22 IOCs 22 Observables
Investigation of email-based attack delivering MediaFire ZIP file … related

AlienVault Confidence 100 14 MITREs 1 Malware 4 IOCs 4 Observables
WebAssembly Malware Found in Trojanized Open VSX Extensions related

AlienVault Confidence 100 17 MITREs 1 Malware 12 IOCs 12 Observables 1 APT
How 23 Browser Extensions Silently Monetize ~758,000 Users' … related

AlienVault Confidence 100 19 MITREs 29 IOCs 29 Observables

← Previous

Page / 5

1–12 of 50

Vulnerabilities (CVE) (35)

CVE-2017-9248 KEV targets

9.8 Critical

Progress Telerik UI for ASP.NET AJAX and Sitefinity have a cryptographic weakness in Telerik.Web.UI.dll that can be exploited to disclose encryption keys …

Attack vector: NETWORK
Complexity: LOW
Published: 03/07/2017
Modified: 22/04/2026

CWE-522

CVE-2026-35273 KEV targets

9.8 Critical

Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Updates Environment Management). Supported versions that are affected are 8.61 and …

Attack vector: NETWORK
Complexity: LOW
Published: 11/06/2026
Modified: 12/06/2026

CWE-306 Analyzed

CVE-2026-5426 targets

9.1 Critical

Hard-coded ASP.NET/IIS machineKey value in Digital Knowledge KnowledgeDeliver deployments prior to February 24, 2026 allows adversaries to circumvent ViewState validation mechanisms and …

Attack vector: Network
Complexity: Low
EPSS: 0.0005 (P15.4%)
Published: 16/04/2026
Modified: 26/05/2026

CWE-321 Awaiting Analysis

CVE-2025-30406 KEV targets

9.0 Critical

Gladinet CentreStack through 16.1.10296.56315 (fixed in 16.4.10315.56368) has a deserialization vulnerability due to the CentreStack portal's hardcoded machineKey use, which enables threat …

Attack vector: Network
Published: 08/04/2025
Modified: 21/12/2025

Received

CVE-2017-11882 KEV targets

7.8 High

Microsoft Office contains a memory corruption vulnerability that allows remote code execution in the context of the current user.

Attack vector: Local
Complexity: Low
Published: 15/11/2017
Modified: 29/05/2026

CWE-119

CVE-2025-20337 KEV targets

10.0 Critical

A vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to execute arbitrary code …

Attack vector: Network
Published: 28/07/2025
Modified: 21/12/2025

Analyzed

CVE-2025-64328 KEV targets

8.6 High

FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. In versions 17.0.2.36 and above before 17.0.3, the filestore …

Attack vector: Network
Complexity: Low
Published: 07/11/2025
Modified: 18/06/2026

CWE-78 Awaiting Analysis

CVE-2026-21509 KEV targets

7.8 High

Microsoft Office contains a security feature bypass vulnerability in which reliance on untrusted inputs in a security decision in Microsoft Office could …

Attack vector: LOCAL
Published: 26/01/2026
Modified: 27/03/2026

Analyzed

CVE-2023-21839 KEV targets

7.5 High

Oracle WebLogic Server contains an unspecified vulnerability that allows an unauthenticated attacker with network access via T3, IIOP, to compromise Oracle WebLogic …

Attack vector: Network
Published: 01/05/2023
Modified: 21/12/2025

CVE-2017-11317

targets

CVE-2017-0144 KEV targets

8.8 High

The SMBv1 server in multiple Microsoft Windows versions allows remote attackers to execute arbitrary code via crafted packets.

Attack vector: NETWORK
Complexity: LOW
Published: 17/03/2017
Modified: 22/04/2026

CVE-2019-18935 KEV targets

Progress Telerik UI for ASP.NET AJAX contains a deserialization of untrusted data vulnerability through RadAsyncUpload which leads to code execution on the …

Published: 03/11/2021
Modified: 20/12/2025

← Previous

Page / 3

1–12 of 35

T1036 subtechnique-of

Masquerading MITRE

Tool (1)

Brute Ratel C4 uses

The MITRE Corporation Confidence 100

[Brute Ratel C4](https://attack.mitre.org/software/S1063) is a commercial red-teaming and adversarial attack simulation tool that first appeared in December 2020. [Brute Ratel C4](https://attack.mitre.org/software/S1063) was specifically designed to avoid detection by…

Campaign (4)

RedPenguin uses
C0032 uses
SolarWinds Compromise uses
HomeLand Justice uses

Contact About Legal notice Privacy policy Terms of use