T1036.005: T1036.005

Search IOCs, vulnerabilities, APT…

216.73.216.233

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 10/02/2020 21:43 · Modified 27/03/2026 01:08

Essential information

MITRE technique ID: T1036.005
Confidence: 100/100
Revoked: No
Published: 10/02/2020 21:43
Modified: 27/03/2026 01:08
Author / Source: The MITRE Corporation

Aliases

Match Legitimate Resource Name or Location

Platforms

windows macos linux Containers ESXi

Description

Adversaries may match or approximate the name or location of legitimate files, Registry keys, or other resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: `svchost.exe`). Alternatively, a Windows Registry key may be given a close approximation to a key used by a legitimate program. In containerized environments, a threat actor may create a resource in a trusted namespace or one that matches the naming convention of a container pod or cluster.(Citation: Aquasec Kubernetes Backdoor 2023)

Kill chain phases

Kill chain	Phase
mitre-attack	defense-evasion

Marking (TLP)

External references

Docker Images
Twitter ItsReallyNick Masquerading Update
mitre-attack (T1036.005)
Elastic Masquerade Ball
Aquasec Kubernetes Backdoor 2023

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (66)

UAC-0125 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Silence uses Whisper Spider

The MITRE Corporation Confidence 100

[Silence](https://attack.mitre.org/groups/G0091) is a financially motivated threat actor targeting financial institutions in different countries. The group was first seen in June 2016. Their main targets reside in Russia, Ukraine,…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Rocke uses

The MITRE Corporation Confidence 100

[Rocke](https://attack.mitre.org/groups/G0106) is an alleged Chinese-speaking adversary whose primary objective appeared to be cryptojacking, or stealing victim system resources for the purposes of mining cryptocurrency. The name [Rocke](https://attack.mitre.org/groups/G0106) comes…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Ke3chang uses APT15Mirage

The MITRE Corporation Confidence 100

[Ke3chang](https://attack.mitre.org/groups/G0004) is a threat group attributed to actors operating out of China. [Ke3chang](https://attack.mitre.org/groups/G0004) has targeted oil, government, diplomatic, military, and NGOs in Central and South America, the Caribbean,…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Tadashi uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
DragonBreath uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Mustard Tempest uses DEV-0206GOLD PRELUDE

The MITRE Corporation Confidence 100

[Mustard Tempest](https://attack.mitre.org/groups/G1020) is an initial access broker that has operated the [SocGholish](https://attack.mitre.org/software/S1124) distribution network since at least 2017. [Mustard Tempest](https://attack.mitre.org/groups/G1020) has partnered with [Indrik Spider](https://attack.mitre.org/groups/G0119) to provide access…

First seen 01/01/1970 · Last seen 16/11/5138 ·
alh1mik uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
VasyGrek uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
The Gentlemen uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
INC Ransom uses GOLD IONIC

The MITRE Corporation Confidence 100

[INC Ransom](https://attack.mitre.org/groups/G1032) is a ransomware and data extortion threat group associated with the deployment of [INC Ransomware](https://attack.mitre.org/software/S1139) that has been active since at least July 2023. [INC Ransom](https://attack.mitre.org/groups/G1032)…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Whitefly uses

The MITRE Corporation Confidence 100

[Whitefly](https://attack.mitre.org/groups/G0107) is a cyber espionage group that has been operating since at least 2017. The group has targeted organizations based mostly in Singapore across a wide variety of…

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 6

1–12 of 66

NOKKI uses
Mekotio uses

Family
Java RAT uses

Family
ValleyRAT uses

Family
RustyWater uses

Family
Calisto uses
KaynLdr uses

Family
QUADAGENT uses
Penguish uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
WAVESHAPER uses
Havoc uses

Family
PureLog Stealer uses

Family

← Previous

Page / 7

1–12 of 73

ClickFix campaign delivers macOS infostealer via DMG related

AlienVault Confidence 100 10 MITREs 4 Malwares 10 IOCs 4 Observables
Artifact scanner detects npm package 'node-fetch-utils' using external … related

AlienVault Confidence 100 13 MITREs 2 Malwares 2 IOCs 1 Observable
3CXDesktopApp Intrusion Campaign Prevention related

AlienVault Confidence 100 20 MITREs 2 Malwares 29 IOCs 20 Observables 1 APT
Threat Actors Abuse claude.ai Shared Chat for ClickFix … related

AlienVault Confidence 100 19 MITREs 1 Malware 21 IOCs 21 Observables
From package to postinstall payload: Inside the Mastra … related

AlienVault Confidence 100 21 MITREs 1 Malware 6 IOCs 1 Observable
Potemkin Loader & RMMProject The Anatomy of a … related

AlienVault Confidence 100 19 MITREs 4 Malwares 22 IOCs 22 Observables
Investigation of email-based attack delivering MediaFire ZIP file … related

AlienVault Confidence 100 14 MITREs 1 Malware 4 IOCs 4 Observables
WebAssembly Malware Found in Trojanized Open VSX Extensions related

AlienVault Confidence 100 17 MITREs 1 Malware 12 IOCs 12 Observables 1 APT
How 23 Browser Extensions Silently Monetize ~758,000 Users' … related

AlienVault Confidence 100 19 MITREs 29 IOCs 29 Observables
The Package That Never Shipped: Following a USPS … related

AlienVault Confidence 100 21 MITREs 8 IOCs 8 Observables
Targets Education Sector with Oracle PeopleSoft Exploit related

AlienVault Confidence 100 1 CVE 20 MITREs 1 Malware 8 IOCs 8 Observables 1 APT
World Cup 2026 Mobile Targeted Phishing: The Global … related

AlienVault Confidence 100 28 MITREs 5 IOCs 5 Observables

← Previous

Page / 5

1–12 of 50

Vulnerabilities (CVE) (35)

CVE-2023-39143 targets

9.8 Critical

PaperCut NG and PaperCut MF before 22.1.3 on Windows allow path traversal, enabling attackers to upload, read, or delete arbitrary files. This …

Attack vector: NETWORK
Published: 04/08/2023
Modified: 08/05/2026

CVE-2023-0669 KEV targets

7.2 High

Fortra (formerly, HelpSystems) GoAnywhere MFT contains a pre-authentication remote code execution vulnerability in the License Response Servlet due to deserializing an attacker-controlled …

Attack vector: Network
Published: 10/02/2023
Modified: 21/12/2025

CVE-2021-45461 targets

9.8 Critical

FreePBX, when restapps (aka Rest Phone Apps) 15.0.19.87, 15.0.19.88, 16.0.18.40, or 16.0.18.41 is installed, allows remote attackers to execute arbitrary code, as …

Attack vector: NETWORK
Published: 22/12/2021
Modified: 28/01/2026

CVE-2026-31431 KEV targets

7.8 High

In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead - Revert to operating out-of-place This mostly reverts commit 72548b093ee3 …

Attack vector: LOCAL
Complexity: LOW
EPSS: 0.0001 (P0.6%)
Published: 22/04/2026
Modified: 23/05/2026

CWE-669 Awaiting Analysis

CVE-2025-53770 KEV targets

9.8 Critical

Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network. Microsoft is aware …

Attack vector: Network
Published: 20/07/2025
Modified: 21/12/2025

Analyzed

CVE-2026-45585 targets

6.8 Medium

Microsoft is aware of a security feature bypass vulnerability in Windows publicly referred to as "YellowKey". The proof of concept for this …

Attack vector: Physical
Complexity: Low
Published: 20/05/2026
Modified: 04/06/2026

CWE-77 Analyzed

CVE-2025-55182 KEV targets

10.0 Critical

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, …

Attack vector: Network
Published: 05/12/2025
Modified: 29/05/2026

Analyzed

CVE-2019-19006 KEV targets

9.8 Critical

Sangoma FreePBX contains an improper authentication vulnerability that potentially allows unauthorized users to bypass password authentication and access services provided by the …

Attack vector: NETWORK
Complexity: Low
Published: 21/11/2019
Modified: 18/06/2026

CWE-287

CVE-2026-3102 targets

5.3 Medium

A vulnerability was determined in exiftool up to 13.49 on macOS. This issue affects the function SetMacOSTags of the file lib/Image/ExifTool/MacOS.pm of …

Published: 24/02/2026
Modified: 24/02/2026

Awaiting Analysis

CVE-2021-44228 KEV targets

10.0 Critical

Apache Log4j2 contains a vulnerability where JNDI features do not protect against attacker-controlled JNDI-related endpoints, allowing for remote code execution.

Attack vector: Network
Published: 10/12/2021
Modified: 27/05/2026

CVE-2024-21893 KEV targets

8.2 High

Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure), Ivanti Policy Secure, and Ivanti Neurons contain a server-side request forgery (SSRF) …

Attack vector: Network
Published: 31/01/2024
Modified: 27/05/2026

← Previous

Page / 3

25–35 of 35

T1036 subtechnique-of

Masquerading MITRE

Tool (1)

Brute Ratel C4 uses

The MITRE Corporation Confidence 100

[Brute Ratel C4](https://attack.mitre.org/software/S1063) is a commercial red-teaming and adversarial attack simulation tool that first appeared in December 2020. [Brute Ratel C4](https://attack.mitre.org/software/S1063) was specifically designed to avoid detection by…

Campaign (4)

RedPenguin uses
C0032 uses
SolarWinds Compromise uses
HomeLand Justice uses

Contact About Legal notice Privacy policy Terms of use