analyst @ nohacky :~/briefings $
cat / mitre / t1036-masquerading.html
analyst@nohacky:~/mitre/t1036-masquerading.html
reading mode 14 min read
category MITRE ATT&CK
tactic Defense Evasion
technique T1036
published March 2025
read_time 14 min

T1036 Masquerading: Every Sub-Technique Mapped to Real Campaigns

MITRE ATT&CK T1036 covers one of the oldest and most persistently effective evasion approaches in the threat landscape — making malicious artifacts look legitimate. This article maps each confirmed sub-technique to the real actors, malware families, and campaigns that have used it.

Masquerading sits under the Defense Evasion tactic in the MITRE ATT&CK Enterprise matrix. The core idea is straightforward: an adversary manipulates the perceived identity of a file, process, task, or service so that defenders and their tools see something trusted rather than something hostile. That manipulation can target file names, directory locations, file extensions, digital signatures, icons, parent process relationships, account names, or even Unicode rendering behavior. The attack surface is wider than it first appears.

T1036 currently carries twelve documented sub-techniques, ranging from renamed system utilities all the way to breaking process trees to defeat behavioral analytics. What follows is a structured map of each sub-technique against the confirmed real-world groups and malware families that have used it — drawn from MITRE ATT&CK's own procedure examples, vendor threat intelligence reports, and CISA advisories.

The Twelve Sub-Techniques at a Glance

The table below lays out all twelve sub-techniques with their IDs and a brief description of the mechanism each one exploits.

Sub-technique ID Name Core Mechanism
T1036.001 Invalid Code Signature Copy metadata and signature info from a legitimate signed binary into a malicious file — the signature appears present but is not cryptographically valid
T1036.002 Right-to-Left Override Embed Unicode character U+202E into a filename to reverse how characters are rendered, making an executable appear to have a benign extension
T1036.003 Rename Legitimate Utilities Copy or rename a legitimate system binary (rundll32.exe, PSExec, etc.) to bypass monitoring rules tied to those specific binary names
T1036.004 Masquerade Task or Service Name a scheduled task or Windows service to match a known-good system task, making malicious persistence blend into normal service lists
T1036.005 Match Legitimate Resource Name or Location Place malicious binaries in directories or give them names that match legitimate OS or application components — the most widely abused sub-technique
T1036.006 Space after Filename Append a trailing space to a filename on macOS/Linux to prevent the OS from identifying the correct file type by its extension
T1036.007 Double File Extension Name a file with two extensions (e.g., document.pdf.exe) where default OS settings hide the true final extension from users
T1036.008 Masquerade File Type Modify a file's magic bytes (header signature) and/or extension to make security tooling misidentify the file type during transfer or storage
T1036.009 Break Process Trees Modify a process's recorded parent PID to sever the parent-child relationship and defeat behavioral analytics that rely on process lineage
T1036.010 Masquerade Account Name Name a created account to closely resemble a legitimate service or system account to avoid standing out in account enumeration
T1036.011 Overwrite Process Arguments Overwrite the command-line arguments visible in process listings after execution to hide the actual parameters the process was launched with
T1036.012 Masquerade File Properties (Icon/Metadata) Modify PE resource sections to embed icons from trusted applications (Adobe, Microsoft Office) so the file visually resembles a document rather than an executable
note

T1036.005 (Match Legitimate Resource Name or Location) is the dominant sub-technique by volume of confirmed use. It appears across nation-state APTs, ransomware operators, commodity malware, and cryptomining campaigns. The sections below treat each sub-technique as its own mapped unit.

T1036.001 — Invalid Code Signature

When a digital signature is present on a file, users and many security tools treat it as a trust signal. This sub-technique exploits that assumption by copying the signature block and metadata from a legitimately signed binary and injecting it into a malicious file. The signature will not pass cryptographic validation, but tools and humans that check only for the presence of a signature — rather than its validity — will be fooled.

The 3CX supply chain attack, attributed by Mandiant to a North Korean threat actor in 2023, demonstrated code signature abuse at scale. The malicious installer packages delivered to 3CX customers carried valid-appearing code signatures because the signed 3CX application itself was the vehicle. Tools like MetaTwin, SigThief, and SigFlip are publicly documented for performing this operation against PE files, illustrating how accessible the technique is beyond nation-state actors.

RedLine Stealer and Vidar were both observed in 2023 campaigns abusing Extended Validation (EV) certificates — acquiring them legitimately and then using them to sign malicious payloads before shifting those payloads toward ransomware deployment, as documented by Trend Micro.

T1036.002 — Right-to-Left Override (RTLO)

Unicode character U+202E (Right-to-Left Override) was designed to support Arabic and Hebrew text rendering. Adversaries embed it into filenames to reverse how characters after it are displayed. A screensaver executable named March 25‮xcod.scr renders in Windows Explorer as March 25 rcs.docx — appearing to be a Word document. The underlying file data is unchanged; only the visual representation is manipulated.

This technique appears consistently in targeted spearphishing campaigns across multiple threat actors:

  • BlackTech — the Chinese-nexus espionage group has used RTLO-obfuscated filenames in email attachments targeting Taiwanese organizations, documented by Trend Micro in their BlackTech campaign tracking.
  • BRONZE BUTLER (also known as Tick) — this group used RTLO to deceive victims into executing malware across several campaigns, including Operation ENDTRADE targeting Japanese industrial and government sectors.
  • Ke3chang (APT15) — documented using RTLO in spearphishing attachments to trick targets into running .scr and .exe files that appeared to be benign document types.
  • Scarlet Mimic — used a left-to-right override variant in self-extracting RAR archive names in targeted spearphishing operations.
  • PLEAD — a threat cluster with ties to the Chinese-speaking threat ecosystem used RTLO-renamed attachments in targeted attacks against Taiwanese government agencies, documented as early as 2014.

In 2018, Russian cybercriminals exploited a specific RTLO vulnerability in the Telegram Windows client itself, allowing distribution of cryptominers and RATs through the messaging platform without requiring victims to interact with the file in Windows Explorer.

T1036.003 — Rename Legitimate Utilities

Security tools frequently monitor specific system binary names — PSExec, rundll32.exe, mshta.exe, AutoHotKey — because they are commonly abused. Renaming these binaries before use, or copying them to a different directory under a different name, bypasses monitoring rules that key on binary names or paths rather than file hashes or behavioral indicators.

  • APT32 (OceanLotus) — documented moving and renaming pubprn.vbs to a .txt file extension to avoid detection during intrusions.
  • Lazarus Group — the DPRK-affiliated group has incorporated renamed LOLBins (Living Off the Land Binaries) extensively, with Sigma detection rules specifically tracking Lazarus binaries that use system binary names while executing from non-default locations.
  • APT10 — documented using renamed legitimate utilities in targeted intrusions against Japanese corporations.
  • BlueNoroff — introduced methods to rename utilities as part of bypassing Mark of the Web (MoTW) controls in 2022 campaigns.
  • Daggerfly — the APT actor documented targeting a telecom company in Africa used renamed utilities as part of its toolkit.
  • QakBot (QBot) — Securonix documented a variant execution chain in late 2022 where QakBot used a renamed and re-positioned regsvr32 binary to execute its DLL payload.
# Example detection logic — flag svchost.exe executing outside expected paths
# Legitimate: C:\Windows\System32\svchost.exe
# Suspicious: C:\Users\Public\svchost.exe
#             C:\Windows\Resources\svchost.exe
#             C:\Users\<user>\AppData\Local\svchost.exe

T1036.004 — Masquerade Task or Service

Scheduled tasks and Windows services are expected artifacts in any enterprise environment. Naming a malicious task or service after a well-known system component dramatically reduces the chance of detection during routine audit or during incident response triage.

  • WannaCry — in the 2017 global ransomware campaign, the malware created a Windows service named MSSECSVC, with its ImagePath pointing to mssecsvc.exe. The name was deliberately constructed to resemble "Microsoft Security Center" — a plausible-looking system security service in enterprise environments. This masquerade contributed to WannaCry's ability to spread rapidly before defenders could identify the service as malicious.
  • SolarWinds SUNBURST — the Solorigate backdoor created a scheduled task named SolarWinds.Orion.Core.BusinessLayer.BackgroundJobExecutor, aligning perfectly with the naming conventions of legitimate SolarWinds Orion tasks already present on compromised systems. CISA and multiple vendors confirmed this detail.
  • Tarrask — Microsoft documented this malware in 2022 using scheduled tasks for defense evasion, specifically creating "hidden" scheduled tasks through direct registry manipulation that bypassed standard Windows task scheduler visibility.
  • TinyTurla — Cisco Talos documented this Turla-linked backdoor deploying as a service named to blend with legitimate Windows security service names.
  • Shamoon — the destructive wiper attributed to Iranian threat actors used service masquerading as part of its operational pattern in multiple deployment waves targeting Middle Eastern energy organizations.
  • Raspberry Robin — this worm and malware loader, tracked since 2022, has used masqueraded tasks as part of its persistence mechanism across campaigns targeting telecom and government organizations.
  • Storm-0501 — Microsoft documented this ransomware affiliate in 2024 using service masquerading as part of attacks expanding into hybrid cloud environments.
warning

Masqueraded scheduled tasks created via direct registry writes (bypassing the Task Scheduler API) may not appear in schtasks /query output or the Task Scheduler GUI, making standard audit commands unreliable for full coverage. Raw registry inspection of HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree is required for comprehensive visibility.

T1036.005 — Match Legitimate Resource Name or Location

This is the most heavily abused sub-technique. Adversaries name malicious binaries to exactly match trusted Windows or Linux system processes — svchost.exe, dllhost.exe, lsass.exe, systemd — and execute them from non-standard directories. Because security tools and analysts frequently filter on process name, the malicious process blends into the expected noise of system activity.

The confirmed use instances span nearly every major threat cluster in the ATT&CK corpus:

Nation-State and Advanced Persistent Threats

  • NOBELIUM (APT29 / Cozy Bear) — used the GoldMax, GoldFinder, and Sibot toolset with naming and locations designed to blend into legitimate SolarWinds Orion directory structures. MSTIC documented the naming conventions specifically as aligned with legitimate Orion module naming.
  • APT32 (OceanLotus) — the Vietnamese-linked espionage group has used process and binary naming to match legitimate macOS system components alongside Windows targets across a decade of documented operations.
  • Lazarus Group — DPRK's primary offensive cyber unit has placed binaries named to match Windows system processes in non-standard directories as a consistent operational pattern across multiple campaigns. In the 2024 MITRE ATT&CK Evaluations DPRK emulation scenario, malware masquerading as a legitimate Docker file was used to demonstrate this exact sub-technique.
  • Kimsuky — another North Korean group, documented using AppleSeed backdoor components named to align with expected system or application file names.
  • APT10 — the Chinese threat group targeted Japanese corporations using components named to match trusted application libraries.
  • RedDelta (Mustang Panda) — Insikt Group documented this Chinese group in early 2025 targeting Taiwan, Mongolia, and Southeast Asia with an adapted PlugX infection chain where components were named to match legitimate resource locations.
  • Carbanak / FIN7 — the financially motivated group used components named to match Windows management infrastructure in their extensive banking sector targeting, documented by Kaspersky's Global Research and Analysis Team.
  • LuminousMoth — documented targeting Southeast Asian government networks with malware files named to impersonate legitimate system DLLs.
  • Cyclops Blink — the Sandworm-linked router botnet malware documented by NCSC in 2022 used naming conventions aligned with legitimate router firmware components.
  • Iron Tiger (APT27) — documented using SysUpdate components positioned to look like legitimate Windows or application binaries in telecom and government intrusions.
  • ArcaneDoor — Cisco Talos documented this 2024 espionage campaign targeting perimeter network devices, with implants named to align with legitimate device management processes.

Ransomware and Crimeware Operators

  • Black Basta — a May 2024 Cisco Talos report documented the social engineering campaign linked to Black Basta using files positioned within directories and under names consistent with expected application components.
  • Cuba Ransomware — operators used components named to resemble legitimate Windows system files as part of their lateral movement and deployment chain.
  • Conti / BazarLoader — DFIR Report documented BazarLoader variants changing file extensions from PDF to DLL and placing renamed components in user-writable paths under system-like names.
  • Ryuk — ANSSI's 2021 analysis confirmed Ryuk placing components to match legitimate Windows file naming within targeted environments.

Field Observation Data

Cynet research across multiple independent production environments identified repeated instances of svchost.exe executing from C:\Users\Public\, C:\Windows\System\, C:\Windows\Resources\, and AppData paths — all clear deviations from the legitimate paths of C:\Windows\System32\ and C:\Windows\SysWOW64\. These were confirmed malicious in all six observed cases, illustrating that the technique remains actively deployed in real enterprise environments as of 2025.

critical

Detection of T1036.005 requires validating the full execution path and digital signature — not just the process name. A process named svchost.exe is expected. A process named svchost.exe running from %APPDATA% without a valid Microsoft signature is a strong indicator of compromise.

T1036.006 and T1036.007 — Space after Filename and Double File Extension

T1036.006 (Space after Filename) primarily targets macOS and Linux. Appending a trailing space to a filename (e.g., malware.py ) prevents the OS from recognizing the file type by extension in some contexts. The XCSSET malware, which targets Xcode project environments on macOS, has used this technique alongside other macOS-specific masquerading approaches — including creating malicious application bundles that mimic Safari by copying its icon and Info.plist metadata. Microsoft documented new XCSSET samples in March 2025 adding updated obfuscation and persistence techniques.

T1036.007 (Double File Extension) exploits default Windows settings that hide known file extensions in Explorer. A file named invoice.pdf.exe displays as invoice.pdf to users with default settings. This is a delivery and initial access enabler frequently paired with spearphishing attachments. Documented users include:

  • OilRig (APT34) — the Iranian-linked group has used .doc extensions to mask executables in targeted operations against Middle Eastern organizations.
  • Saint Bot — the downloader was documented renaming malicious binaries as wallpaper.mp4 and slideshow.mp4 to appear as media files.
  • AgentTesla — distributed through CHM and PDF-masqueraded file types in targeted campaigns documented by Cyble in 2023.
  • Sandworm Team — the Russian GRU-linked group masqueraded malicious installer packages as Windows update files during Ukraine-targeting campaigns.

T1036.008 — Masquerade File Type

Rather than changing the extension visible to a user, this sub-technique modifies the actual header (magic bytes) of a file to make file type identification tools misclassify the payload. A malicious PE executable might have its first bytes overwritten to match a JPEG header (0xFF 0xD8), allowing it to pass file type validation at upload or transfer checkpoints. The attacker then reverses the modification after delivery, or relies on the execution chain to handle the actual file regardless of its declared type.

  • Lazarus Group / MagicRAT — Cisco Talos documented this RAT using file type masquerading as part of its delivery mechanism in 2022 campaigns targeting networks across multiple sectors.
  • Mustang Panda / PlugX — EclecticIQ documented a February 2023 campaign where Mustang Panda used European Commission-themed lures to deliver PlugX with file type manipulation as part of the delivery chain.
  • BRONZE PRESIDENT — Secureworks documented this Chinese-nexus group targeting Russian speakers with updated PlugX variants that used file type manipulation during lateral movement.
  • Operation North Star / Lazarus — Unit 42 documented this campaign targeting defense and aerospace companies using masqueraded file types to move payloads.
  • StrelaStealer — documented by IBM X-Force in late 2024, this information stealer targeting mail credentials in European campaigns used file type manipulation to bypass gateway controls.
  • Raspberry Robin — confirmed using file type masquerading in its worm propagation mechanism, as documented by multiple vendors tracking the campaign through 2022 and 2023.
  • BRONZE SILHOUETTE — Secureworks documented this PRC-linked group targeting US government and defense organizations using file type masquerading during intrusions.

T1036.009 — Break Process Trees

Modern endpoint detection relies heavily on process lineage — understanding that a browser spawning cmd.exe is suspicious, while Explorer spawning notepad.exe is not. Breaking the process tree severs this relationship by manipulating the parent process ID recorded in the operating system, making a malicious process appear to have been spawned by a benign or expected parent.

XorDdos — this Linux trojan uses T1036.009 extensively. At system startup, XorDdos checks whether it is running from /bin, /usr/bin, or /tmp. If not, it copies itself to /lib/libudev.so, performs a double fork() to detach from its parent process, then deletes the original copy. The double fork creates a new process with no direct parent relationship to the original execution context, breaking the process tree used by behavioral detection. XorDdos also invokes the daemon syscall to further detach execution from the process hierarchy.

The use of double fork and daemon syscall patterns for process tree evasion appears across multiple Linux-targeting malware families, as the technique maps well to the Unix process model.

T1036.010, T1036.011, T1036.012 — Account, Argument, and Icon Masquerading

T1036.010 (Masquerade Account Name) involves naming created accounts to resemble service accounts or system accounts — for example creating an account named svc_backup or windows.update that blends into an account enumeration list. This is difficult to detect without baselining expected account names and flagging deviations. Several ransomware operators have used this technique during post-exploitation phases to establish persistent access under accounts that appear to belong to IT operations rather than an attacker.

T1036.011 (Overwrite Process Arguments) allows an attacker to overwrite the command-line string visible in process listings after execution. When an analyst queries running processes, they see benign-looking arguments rather than the actual parameters used to launch the malicious payload. This technique is particularly effective against forensic queries and live-response tools that read process command-line arguments from memory.

T1036.012 (Masquerade File Properties — Icon and Metadata) involves modifying the PE resource section to embed an icon from a trusted application. BRONZE BUTLER masked executables with icons cloned from Microsoft Word and Adobe PDF documents. The Pony malware family was documented using the Adobe Reader icon to make dropper executables appear to be PDF documents. XCSSET on macOS extended this to full application bundle impersonation — copying Safari's icon, bundle identifier, and Info.plist configuration to create a convincing fake browser bundle.

Landmark Campaign Case Studies

SolarWinds SUNBURST (2020) — Identity Inheritance at Scale

The SolarWinds compromise represents one of the most sophisticated real-world applications of masquerading on record. The SUNBURST backdoor was embedded inside digitally signed SolarWinds Orion platform updates. By inheriting the trust of the Orion application — a legitimate enterprise IT management platform used across government and major corporations — the implant executed under an identity that security tools, network monitoring systems, and analysts had every reason to trust.

The malicious DLL was named to follow SolarWinds' internal development naming conventions, making it appear as a routine platform library component. A scheduled task using the name SolarWinds.Orion.Core.BusinessLayer.BackgroundJobExecutor aligned perfectly with legitimate Orion task names already present on the systems. Raindrop, a second-stage payload discovered during the investigation, used further masquerading to blend with expected Orion-related activity. The overall dwell time before detection — estimated at up to nine months — was enabled substantially by this identity alignment.

WannaCry (2017) — Service Masquerade Enabling Global Lateral Movement

WannaCry used masquerading at both the service and binary level to support its rapid spread via the EternalBlue SMB exploit. After lateral movement, the ransomware created a Windows service named MSSECSVC with its ImagePath pointing to mssecsvc.exe. The name was constructed to resemble "Microsoft Security Center" — a plausible-sounding security service that administrators would not immediately flag as suspicious in a fast-moving enterprise environment. This contributed to the malware's ability to spread across approximately 200,000 systems in 150 countries before effective mitigations were deployed.

Lazarus / Contagious Interview (2024–2025) — Masquerading in Software Supply Chain Lures

The DPRK-linked Contagious Interview campaign, extensively documented by Unit 42 and other vendors through 2024 and into 2025, uses a social engineering approach where targets are invited to complete a job interview by installing what appears to be a legitimate videoconferencing or developer tool. The BeaverTail and InvisibleFerret malware delivered through this campaign use file names and packaging that closely mirror legitimate npm packages and developer utilities. Lazarus has also expanded malicious npm package campaigns — with Kirill Boychenko at Socket documenting 11 new packages with malware loaders in April 2025 and another 35 packages dropped in June 2025 — all using naming conventions designed to appear as legitimate development dependencies.

Detection Principles

No single detection control covers all twelve sub-techniques. Effective detection requires layering:

  1. Path validation for known system binaries: Maintain a baseline of expected execution paths for all Windows system binaries. Alert on any instance of a known binary name executing from outside its canonical directory. For svchost.exe, that means anything outside System32 or SysWOW64 warrants immediate investigation.
  2. Hash allowlisting against process names: When a process name matches a known system binary, verify its file hash against a trusted baseline. A name match with a hash mismatch is a strong indicator of compromise under T1036.005 or T1036.003.
  3. Digital signature verification: Validate signatures cryptographically, not just by their presence. T1036.001 relies on tools that check for a signature but do not validate it.
  4. RTLO byte scanning in filenames: Scan attachment and file names at the byte level for the UTF-8 sequence 0xE2 0x80 0xAE (U+202E). Visual string inspection will not catch this — raw byte inspection is required.
  5. File type validation against declared type: For files received via email or upload, validate magic bytes against the declared MIME type and extension. Mismatches indicate potential T1036.007 or T1036.008 use.
  6. Process tree analysis: Monitor for processes with missing or unexpected parent PIDs, and for use of double fork patterns on Linux systems.
  7. Service and task name baselining: Maintain a whitelist of expected scheduled task and service names. Alert on new tasks or services whose names closely but not exactly match known-good names — fuzzy matching against the baseline is more effective than exact match rules.

Key Takeaways

  1. T1036.005 is the most pervasive sub-technique and appears across nation-state APTs, ransomware operators, commodity malware, and crimeware families. It succeeds because detection that relies on process name alone will always be defeated by it.
  2. Masquerading enables dwell time — the SolarWinds case demonstrates that identity-aligned artifacts can remain undetected for months across heavily monitored environments when the masquerade is sophisticated enough.
  3. The technique is not limited to Windows — T1036.006 and T1036.009 target macOS and Linux specifically, and XorDdos demonstrates that process tree evasion is actively operationalized on Linux targets.
  4. 2024 and 2025 campaigns confirm active use — ArcaneDoor, Contagious Interview, DEEP#DRIVE, and the expanded Lazarus npm campaigns all document fresh instances of this technique family against current targets.
  5. Detection requires multi-layer validation — name, path, hash, and signature must all be validated together. Any single check in isolation is insufficient against a prepared adversary using these sub-techniques.

T1036 occupies its position in the framework because identity deception works — reliably, repeatably, and at scale. The threat actors who use it range from commodity crimeware to the most capable nation-state operators in the world. The mapping above reflects confirmed use documented in public threat intelligence as of March 2025. The MITRE ATT&CK page at attack.mitre.org/techniques/T1036/ continues to be updated with new procedure examples as they are reported.

— end of briefing