216.73.217.22

T1655.001: Match Legitimate Name or Location

View on MITRE ATT&CK The MITRE Corporation · Published 17/12/2025 22:47 · Modified 27/03/2026 01:41

Essential information

MITRE technique ID
T1655.001
Confidence
100/100
Revoked
No
Published
17/12/2025 22:47
Modified
27/03/2026 01:41
Author / Source
The MITRE Corporation

Platforms

android iOS

Description

Adversaries may match or approximate the name or location of legitimate files or resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by giving artifacts the name and icon of a legitimate, trusted application (i.e., Settings), or using a package name that matches legitimate, trusted applications (i.e., `com.google.android.gm`). Adversaries may also use the same icon of the file or application they are trying to mimic.

Kill chain phases

Kill chainPhase
mitre-mobile-attack defense-evasion

Marking (TLP)

Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.

External references

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (3)

  • Bouncing Golf uses
    The MITRE Corporation Confidence 100

    [Bouncing Golf](https://attack.mitre.org/groups/G0097) is a cyberespionage campaign targeting Middle Eastern countries.(Citation: Trend Micro Bouncing Golf 2019)

    First seen 01/01/1970 · Last seen 16/11/5138 Published 17/12/2025 22:48 · Modified 27/03/2026 01:41
  • APT-C-23 uses MantisDesert Falcon
    The MITRE Corporation Confidence 100

    [APT-C-23](https://attack.mitre.org/groups/G1028) is a threat group that has been active since at least 2014.(Citation: symantec_mantis) [APT-C-23](https://attack.mitre.org/groups/G1028) has primarily focused its operations on the Middle East, including Israeli military assets. …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:14
  • MoustachedBouncer uses
    The MITRE Corporation Confidence 100

    [MoustachedBouncer](https://attack.mitre.org/groups/G1019) is a cyberespionage group that has been active since at least 2014 targeting foreign embassies in Belarus.(Citation: MoustachedBouncer ESET August 2023)

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:14

Malware (25 / 41)

  • Godfather uses
    Family
    Published 11/05/2026 09:07 · Modified 11/05/2026 09:07
  • Red Alert 2.0
  • WolfRAT
  • AndroidOS/MalLocker.B
  • GoldenEagle
  • Phenakite
  • HenBox
  • Android/AdDisplay.Ashas
  • Agent Smith
  • Chameleon
  • SimBad
  • BOULDSPY
  • Anubis uses
    Family
    Published 27/01/2025 14:18 · Modified 27/01/2025 14:18
  • Tiktok Pro
  • DoubleAgent
  • FakeSpy
  • CarbonSteal
  • Asacub
  • FrozenCell
  • Android/SpyAgent
  • Hornbill
  • DroidJack
  • EventBot
  • DOCSWAP uses
    Family
    Published 16/12/2025 14:57 · Modified 16/12/2025 14:57
  • Mandrake uses
    Family The MITRE Corporation Confidence 100

    [Mandrake](https://attack.mitre.org/software/S0485) is a sophisticated Android espionage platform that has been active in the wild since at least 2016. [Mandrake](https://attack.mitre.org/software/S0485) is very actively maintained, with sophisticated features and attacks …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 17/12/2025 22:47 · Modified 27/03/2026 01:41

Attack patterns (MITRE) (1)

Campaign (1)

  • C0033 uses

Course Of Action (1)

  • User Guidance mitigates