Masquerading: Match Legitimate Resource Name or Location, Sub-technique T1036.005 - Enterprise (original) (raw)
2016 Ukraine Electric Power Attack
During the 2016 Ukraine Electric Power Attack, DLLs and EXEs with filenames associated with common electric power sector protocols were used to masquerade files.[2]
During the 2025 Poland Wiper Attacks, the adversaries created rules that mimicked the name of an institution already present in the network device configuration to avoid detection.[3]
admin@338 actors used the following command to rename one of their tools to a benign file name: ren "%temp%\upload" audiodg.exe[4]
Akira has used legitimate names and locations for files to evade defenses.[5]
ANDROMEDA has been installed to C:\Temp\TrustedInstaller.exe to mimic a legitimate Windows installer service.[6]
AppleSeed has the ability to rename its payload to ESTCommon.dll to masquerade as a DLL belonging to ESTsecurity.[7]
APT-C-36 has disguised malicious executables to appear as legitimate files.[8]
The file name AcroRD32.exe, a legitimate process name for Adobe's Acrobat Reader, was used by APT1 as a name for malware.[9][10]
APT28 has changed extensions on files containing exfiltrated data to make them appear benign, and renamed a web shell instance to appear as a legitimate OWA page.[11]
APT29 has renamed malicious DLLs with legitimate names to appear benign; they have also created an Azure AD certificate with a Common Name that matched the display name of the compromised service principal.[12][13]
APT32 has renamed a NetCat binary to kb-10233.exe to masquerade as a Windows update. APT32 has also renamed a Cobalt Strike beacon payload to install_flashplayers.exe. [14][15]
APT39 has used malware disguised as Mozilla Firefox and a tool named mfevtpse.exe to proxy C2 communications, closely mimicking a legitimate McAfee file mfevtps.exe.[16][17]
APT41 attempted to masquerade their files as popular anti-virus software.[18][19]
APT42 has masqueraded the VINETHORN payload as a VPN application.[20]
APT5 has named exfiltration archives to mimic Windows Updates at times using filenames with a KB<digits>.zip pattern.[21]
Aquatic Panda renamed or moved malicious binaries to legitimate locations to evade defenses and blend into victim environments.[22]
AshTag has masqueraded as a legitimate VisualServer utility.[23]
BackConfig has hidden malicious payloads in %USERPROFILE%\Adobe\Driver\dwg\ and mimicked the legitimate DHCP service binary.[24]
BackdoorDiplomacy has dropped implants in folders named for legitimate software.[25]
Bad Rabbit has masqueraded as a Flash Player installer through the executable file install_flash_player.exe.[26][27]
BADNEWS attempts to hide its payloads using legitimate filenames.[28]
The Bazar loader has named malicious shortcuts "adobe" and mimicked communications software.[29][30][31]
Bisonal has renamed malicious code to msacm32.dll to hide within a legitimate library; earlier versions were disguised as winhelp.[32]
The Black Basta dropper has mimicked an application for creating USB bootable drivers.[33]
BLINDINGCAN has attempted to hide its payload by using legitimate file names such as "iconcache.db".[34]
Blue Mockingbird has masqueraded their XMRIG payload name by naming it wercplsupporte.dll after the legitimate wercplsupport.dll file.[35]
BRICKSTORM has appeared to resemble legitimate processes to include the vCenter process vami-http.[36][37][38] BRICKSTORM has also leveraged legitimate names of VMware vSphere platform such as vmsrc or vmware-sphere.[39]
BRONZE BUTLER has given malware the same name as an existing file on the file share server to cause users to unwittingly launch and install the malware on additional systems.[40]
Brute Ratel C4 has used a payload file named OneDrive.update to appear benign.[41]
Bumblebee has named component DLLs "RapportGP.dll" to match those used by the security company Trusteer.[42]
Bundlore has disguised a malicious .app file as a Flash Player update.[43]
During C0017, APT41 used file names beginning with USERS, SYSUSER, and SYSLOG for DEADEYE, and changed KEYPLUG file extensions from .vmp to .upx likely to avoid hunting detections.[44]
For C0018, the threat actors renamed a Sliver payload to vmware_kb.exe.[45]
During the C0032 campaign, TEMP.Veles renamed files to look like legitimate files, such as Windows update files or Schneider Electric application files.[46]
Calisto's installation file is an unsigned DMG image under the guise of Intego’s security solution for mac.[47]
CANONSTAGER has leveraged naming conventions of its malicious DLL to match legitimate services to include cnmpaui.dll which matches the legitimate executable cnmpaui.exe that is aligned with a Canon Ink Jet Printer Assistant Tool.[48]
Carbanak has named malware "svchost.exe," which is the name of the Windows shared service host program.[49]
Carberp has masqueraded as Windows system file names, as well as "chkntfs.exe" and "syscron.exe".[50][51]
Chaes has used an unsigned, crafted DLL module named hha.dll that was designed to look like a legitimate 32-bit Windows DLL.[52]
ChChes copies itself to an .exe file with a filename that is likely intended to imitate Norton Antivirus but has several letters reversed (e.g. notron.exe).[53]
Chimera has renamed malware to GoogleUpdate.exe and WinRAR to jucheck.exe, RecordedTV.ms, teredo.tmp, update.exe, and msadcs1.exe.[54]
Chinoxy has used the name eoffice.exe in attempt to appear as a legitimate file.[55]
CLAIMLOADER has imitated legitimate software directories through the creation and storage of the EXE and DLL in C:\ProgramData\ and the use of legitimate looking names of software.[56]
Cuba has been disguised as legitimate 360 Total Security Antivirus and OpenVPN programs.[57]
Cuckoo Stealer has copied and renamed itself to DumpMediaSpotifyMusicConverter.[58][59]
Cyclops Blink can rename its running process to [kworker:0/1] to masquerade as a Linux kernel thread. Cyclops Blink has also named RC scripts used for persistence after WatchGuard artifacts.[60]
DanBot files have been named UltraVNC.exe and WINVNC.exe to appear as legitimate VNC tools.[61]
DarkComet has dropped itself onto victim machines with file names such as WinDefender.Exe and winupdate.exe in an apparent attempt to masquerade as a legitimate file.[62]
Darkhotel has used malware that is disguised as a Secure Shell (SSH) tool.[63]
Daserf uses file and folder names related to legitimate programs in order to blend in, such as HP, Intel, Adobe, and perflogs.[64]
Doki has disguised a file as a Linux kernel module.[65]
DRATzarus has been named Flash.exe, and its dropper has been named IExplorer.[66]
One of Dtrack can hide in replicas of legitimate programs like OllyDbg, 7-Zip, and FileZilla.[67]
DUSTPAN is often disguised as a legitimate Windows binary such as w3wp.exe or conn.exe.[68]
Earth Lusca used the command move [file path] c:\windows\system32\spool\prtprocs\x64\spool.dll to move and register a malicious DLL name as a Windows print processor, which eventually was loaded by the Print Spooler service.[69]
EKANS has been disguised as update.exe to appear as a valid executable.[70]
If installing itself as a service fails, Elise instead writes itself as a file named svchost.exe saved in %APPDATA%\Microsoft\Network.[71]
Ember Bear has renamed tools to match legitimate utilities, such as renaming GOST tunneling instances to java in victim environments.[72]
Felismus has masqueraded as legitimate Adobe Content Management System files.[73]
Ferocious Kitten has named malicious files update.exe and loaded them into the compromise host's "Public" folder.[74]
FIN13 has masqueraded WAR files to look like legitimate packages such as, wsexample.war, wsexamples.com, examples.war, and exampl3s.war.[75]
FIN7 has attempted to run Darkside ransomware with the filename sleep.exe.[76] Additionally, FIN7 has mimicked WsTaskLoad.exe, which is associated with the Wondershare software suite, by using a malicious executable under the same name.[77]
FinFisher renames one of its .dll files to uxtheme.dll in an apparent attempt to masquerade as a legitimate file.[78][79]
FoggyWeb can be disguised as a Visual Studio file such as Windows.Data.TimeZones.zh-PH.pri to evade detection. Also, FoggyWeb's loader can mimic a genuine dll file that carries out the same import functions as the legitimate Windows version.dll file.[80]
Fooder has frequently masqueraded as the Snake game, using strings such as "Welcome to snake Game" and mutexes such as "SNAKE_G."[81]
Fox Kitten has named binaries and configuration files svhost and dllhost respectively to appear legitimate.[82]
Fysbis has masqueraded as trusted software rsyncd and dbus-inotifier.[83]
Gamaredon Group has used legitimate process names to hide malware including svchosst.[84] Additionally, Gamaredon Group disguised malicious ZIP archives as Office documents that are related to the invasion.[85]
Gelsemium has named malicious binaries serv.exe, winprint.dll, and chrome_elf.dll and has set its persistence in the Registry with the key value Chrome Update to appear legitimate.[86]
GoBear is installed through droppers masquerading as legitimate, signed software installers.[87]
GoldenSpy's setup file installs initial executables under the folder %WinDir%\System32\PluginManager.[88]
GoldMax has used filenames that matched the system name, and appeared as a scheduled task impersonating systems management software within the corresponding ProgramData subfolder.[89][90]
Goopy has impersonated the legitimate goopdate.dll, which was dropped on the target system with a legitimate GoogleUpdate.exe.[14]
Grandoreiro has named malicious browser extensions and update files to appear legitimate.[91][92]
Green Lambert has been disguised as a Growl help file.[93][94]
HermeticWiper has used the name postgressql.exe to mask a malicious payload.[95]
HermeticWizard has been named exec_32.dll to mimic a legitimate MS Outlook .dll.[95]
HexEval Loader has masqueraded and typosquatted as legitimate code repository packages and projects.[96][97]
During HomeLand Justice, threat actors renamed ROADSWEEP to GoXML.exe and ZeroCleare to cl.exe.[98][99]
HTTPBrowser's installer contains a malicious file named navlu.dll to decrypt and run the RAT. navlu.dll is also the name of a legitimate Symantec DLL.[100]
IceApple .NET assemblies have used App_Web_ in their file names to appear legitimate.[101]
IcedID has modified legitimate .dll files to include malicious code.[102]
INC Ransom has named a PsExec executable winupd to mimic a legitimate Windows update file.[103][104]
Indrik Spider used fake updates for FlashPlayer plugin and Google Chrome as initial infection vectors.[105]
InnaputRAT variants have attempted to appear legitimate by using the file names SafeApp.exe and NeutralApp.exe.[106]
InvisiMole has disguised its droppers as legitimate software or documents, matching their original names and locations, and saved its files as mpr.dll in the Windows folder.[107][108]
Ixeshe has used registry values and file names associated with Adobe software, such as AcroRd32.exe.[109]
J-magic can rename itself as "[nfsiod 0]" to masquerade as the local Network File System (NFS) asynchronous I/O server.[110]
During the J-magic Campaign, threat actors used the name "JunoscriptService" to masquerade malware as the Junos automation scripting service.[110]
Ke3chang has dropped their malware into legitimate installed software paths including: C:\ProgramFiles\Realtek\Audio\HDA\AERTSr.exe, C:\Program Files (x86)\Foxit Software\Foxit Reader\FoxitRdr64.exe, C:\Program Files (x86)\Adobe\Flash Player\AddIns\airappinstaller\airappinstall.exe, and C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd64.exe.[111]
KGH_SPY has masqueraded as a legitimate Windows tool.[112]
Kimsuky has renamed malware to legitimate names such as ESTCommon.dll or patch.dll.[113] Kimsuky has also disguised payloads using legitimate file names including a PowerShell payload named chrome.ps1. [114] Kimsuky has also used a malicious QR code that masqueraded as a legitimate package delivery service.[115]
KOCTOPUS has been disguised as legitimate software programs associated with the travel and airline industries.[116]
KONNI has created a shortcut called "Anti virus service.lnk" in an apparent attempt to masquerade as a legitimate file.[117]
LAMEHUG payloads have been disguised with legitimate looking filenames including AI_generator_uncensored_Canvas_PRO_v0.9.exe and AI_image_generator_v0.95.exe.[118][119]
Latrodectus has been packed to appear as a component to Bitdefender’s kernel-mode driver, TRUFOS.SYS.[120]
Lazarus Group has renamed malicious code to disguise it as Microsoft's narrator and other legitimate files.[121][122]
LightNeuron has used filenames associated with Exchange and Outlook for binary and configuration files, such as winmail.dat.[123]
LookBack has a C2 proxy tool that masquerades as GUP.exe, which is software used by Notepad++.[124]
LuminousMoth has disguised their exfiltration malware as ZoomVideoApp.exe.[125]
Machete renamed payloads to masquerade as legitimate Google Chrome, Java, Dropbox, Adobe Reader and Python executables.[126][127]
Machete's Machete MSI installer has masqueraded as a legitimate Adobe Acrobat Reader installer.[128]
Magic Hound has used dllhost.exe to mask Fast Reverse Proxy (FRP) and MicrosoftOutLookUpdater.exe for Plink.[129][130][131]
MagicRAT stores configuration data in files and file paths mimicking legitimate operating system resources.[132]
MarkiRAT can masquerade as update.exe and svehost.exe; it has also mimicked legitimate Telegram and Chrome files.[74]
MCMD has been named Readme.txt to appear legitimate.[133]
MechaFlounder has been downloaded as a file named lsass.exe, which matches the legitimate Windows file.[134]
menuPass has been seen changing malicious files to appear legitimate.[135]
Metamorfo has disguised an MSI file as the Adobe Acrobat Reader Installer and has masqueraded payloads as OneDrive, WhatsApp, or Spotify, for example.[136][137]
Mis-Type saves itself as a file named msdtc.exe, which is also the name of the legitimate Microsoft Distributed Transaction Coordinator service binary.[138][139]
Misdat saves itself as a file named msdtc.exe, which is also the name of the legitimate Microsoft Distributed Transaction Coordinator service binary.[138][139]
MuddyWater has disguised malicious executables and used filenames and Registry key names associated with Windows Defender.[140][141][142]
Mustang Panda has used names like adobeupdate.dat and PotPlayerDB.dat to disguise PlugX, and a file named OneDrive.exe to load a Cobalt Strike payload.[143] Mustang Panda has also masqueraded legitimate browser plugin updates to include AdobePlugins.exe.[48]
Mustard Tempest has used the filename AutoUpdater.js to mimic legitimate update files and has also used the Cyrillic homoglyph characters С (0xd0a1) and а (0xd0b0), to produce the filename Сhrome.Updаte.zip.[144][145]
Naikon has disguised malicious programs as Google Chrome, Adobe, and VMware executables.[146]
Nebulae uses functions named StartUserModeBrowserInjection and StopUserModeBrowserInjection indicating that it's trying to imitate chrome_frame_helper.dll.[146]
NETWIRE has masqueraded as legitimate software including TeamViewer and macOS Finder.[147]
NightClub has chosen file names to appear legitimate including EsetUpdate-0117583943.exe for its dropper.[148]
Ninja has used legitimate looking filenames for its loader including update.dll and x64.dll.[149]
NOKKI is written to %LOCALAPPDATA%\MicroSoft Updatea\svServiceUpdate.exe prior being executed in a new process in an apparent attempt to masquerade as a legitimate folder and file.[150]
Octopus has been disguised as legitimate programs, such as Java and Telegram Messenger.[151][152]
OilRig has named a downloaded copy of the Plink tunneling utility as \ProgramData\Adobe.exe.[153]
OLDBAIT installs itself in %ALLUSERPROFILE%\Application Data\Microsoft\MediaPlayer\updatewindws.exe; the directory name is missing a space and the file name is missing the letter "o."[154]
During Operation CuckooBees, the threat actors renamed a malicious executable to rundll32.exe to allow it to blend in with other Windows system files.[155]
During Operation Digital Eye, threat actors attempted to make filenames appear legitimate by tailoring them to the victim organization.[156]
During Operation Honeybee, the threat actors used a legitimate Windows executable and secure directory for their payloads to bypass UAC.[157]
During Operation Sharpshooter, threat actors installed Rising Sun in the Startup folder and disguised it as mssync.exe.[158]
During Operation Wocao, the threat actors renamed some tools and executables to appear as legitimate programs.[159]
OSX/Shlayer can masquerade as a Flash Player update.[160][161]
OutSteel attempts to download and execute Saint Bot to a statically-defined location attempting to mimic svchost: %TEMP%\svjhost.exe.[162]
OwaAuth uses the filename owaauth.dll, which is a legitimate file that normally resides in %ProgramFiles%\Microsoft\Exchange Server\ClientAccess\Owa\Auth\; the malicious file by the same name is saved in %ProgramFiles%\Microsoft\Exchange Server\ClientAccess\Owa\bin\.[163]
Patchwork installed its payload in the startup programs folder as "Baidu Software Update." The group also adds its second stage payload to the startup programs as "Net Monitor."[164] They have also dropped QuasarRAT binaries as files named microsoft_network.exe and crome.exe.[165]
PcShare has been named wuauclt.exe to appear as the legitimate Windows Update AutoUpdate Client.[55]
Penquin has mimicked the Cron binary to hide itself on compromised systems.[166]
PipeMon modules are stored on disk with seemingly benign names including use of a file extension associated with a popular word processor.[167]
PlugX has been disguised as legitimate Adobe and PotPlayer files.[168] PlugX has also imitated legitimate software directories and file names through the creation and storage of a legitimate EXE and the malicious DLLs.[169][170][171][172]
Poseidon Group tools attempt to spoof anti-virus processes as a means of self-defense.[173]
PowGoop has used a DLL named Goopdate.dll to impersonate a legitimate Google update file.[174]
PROMETHIUM has disguised malicious installer files by bundling them with legitimate software installers.[175][176]
PUBLOAD has renamed malicious files to mimic legitimate file names such as adobe_wf.exe.[177]
PUNCHBUGGY mimics filenames from %SYSTEM%\System32 to hide DLLs in %WINDIR% and/or %TEMP%.[178][179]
PureCrypter has used multiple file names to appear legitimate such as firefox\firefox.exe, Google\chrome.exe, and Taskmgr.exe.[180]
PyDCrypt has dropped DCSrv under the svchost.exe name to disk.[181]
Pysa has executed a malicious executable by naming it svchost.exe.[182]
Qilin has named its payload file TeamViewer_Host_Setup to disguise itself as a legitimate TeamViewer file.[183]
QUADAGENT used the PowerShell filenames Office365DCOMCheck.ps1 and SystemDiskClean.ps1.[184]
QUIETEXIT has attempted to change its name to cron upon startup. During incident response, QUIETEXIT samples have been identified that were renamed to blend in with other legitimate files.[185]
Raindrop was installed under names that resembled legitimate Windows file and directory names.[186][187]
RainyDay has used names to mimic legitimate software including "vmtoolsd.exe" to spoof Vmtools.[146]
Ramsay has masqueraded as a 7zip installer.[188][189]
RDAT has masqueraded as VMware.exe.[190]
RedCurl mimicked legitimate file names and scheduled tasks, e.g. MicrosoftCurrentupdatesCheck andMdMMaintenenceTask to mask malicious files and scheduled tasks.[191][192]
During RedPenguin, UNC3886 created multiple strains of malware using names to mimic legitimate binaries such as appid, to, irad, lmpad, jdosd, and oemd.[193]
The Remsec loader implements itself with the name Security Support Provider, a legitimate Windows function. Various Remsec .exe files mimic legitimate file names used by Microsoft, Symantec, Kaspersky, Hewlett-Packard, and VMWare. Remsec also disguised malicious modules using similar filenames as custom network encryption software on victims.[194][195]
REvil can mimic the names of known executables.[196]
Rocke has used shell scripts which download mining executables and saves them with the filename "java".[197]
RotaJakiro has used the filename systemd-daemon in an attempt to appear legitimate.[198]
RustyWater has used reddit.exe as its file name and a Cloudflare logo.[199]
Ryuk has constructed legitimate appearing installation folder paths by calling GetWindowsDirectoryW and then inserting a null byte at the fourth character of the path. For Windows Vista or higher, the path would appear as C:\Users\Public.[200]
S-Type may save itself as a file named msdtc.exe, which is also the name of the legitimate Microsoft Distributed Transaction Coordinator service binary.[138][139]
Saint Bot has been disguised as a legitimate executable, including as Windows SDK.[201]
SameCoin has named files to appear legitimate such as "MicrosoftEdge.exe."[202]
Samurai has created the directory %COMMONPROGRAMFILES%\Microsoft Shared\wmi\ to contain DLLs for loading successive stages.[203]
Sandworm Team has avoided detection by naming a malicious binary explorer.exe.[204][205]
Shai-Hulud has masqueraded as a legitimate Bun installer.[206][207]
Shark binaries have been named audioddg.pdb and Winlangdb.pdb in order to appear legitimate.[61]
ShimRatReporter spoofed itself as AlphaZawgyl_font.exe, a specialized Unicode font.[208]
Sibot has downloaded a DLL to the C:\windows\system32\drivers\ folder and renamed it with a .sys extension.[89]
SideCopy has used a legitimate DLL file name, Duser.dll to disguise a malicious remote access tool.[209]
Sidewinder has named malicious files rekeywiz.exe to match the name of a legitimate Windows executable.[210]
Silence has named its backdoor "WINWORD.exe".[211]
Skidmap has created a fake rm binary to replace the legitimate Linux binary.[212]
SLOTHFULMEDIA has mimicked the names of known executables, such as mediaplayer.exe.[213]
Small Sieve can use variations of Microsoft and Outlook spellings, such as "Microsift", in its file names to avoid detection.[214]
SocGholish has been named AutoUpdater.js to mimic legitimate update files.[145]
During the SolarWinds Compromise, APT29 renamed software and DLLs with legitimate names to appear benign.[215][216]
Sowbug named its tools to masquerade as Windows or Adobe Reader software, such as by using the file name adobecms.exe and the directory CSIDL_APPDATA\microsoft\security.[217]
To establish persistence, SslMM identifies the Start Menu Startup directory and drops a link to its own executable disguised as an "Office Start," "Yahoo Talk," "MSN Gaming Z0ne," or "MSN Talk" shortcut.[218]
Starloader has masqueraded as legitimate software update packages such as Adobe Acrobat Reader and Intel.[217]
STATICPLUGIN has leveraged naming conventions that match legitimate services to include AdobePlugins.exe.[48]
Storm-1811 has disguised Cobalt Strike installers as a malicious DLL masquerading as part of a legitimate 7zip installation package.[219]
StrelaStealer payloads have tailored filenames to include names identical to the name of the targeted organization or company.[220]
StrifeWater has been named calc.exe to appear as a legitimate calculator program.[221]
StrongPity has been bundled with legitimate software installation files for disguise.[175]
SUGARDUMP has been named CrashReporter.exe to appear as a legitimate Mozilla executable.[222]
SUNBURST created VBScripts that were named after existing services or folders to blend into legitimate activities.[187]
SUNSPOT was identified on disk with a filename of taskhostsvc.exe and it created an encrypted log file at C:\Windows\Temp\vmware-vmdmp.log.[223]
SUPERNOVA has masqueraded as a legitimate SolarWinds DLL.[224][225]
TA2541 has used file names to mimic legitimate Windows files or system functionality.[226]
The TAINTEDSCRIBE main executable has disguised itself as Microsoft’s Narrator.[121]
Tarrask has masqueraded as executable files such as winupdate.exe, date.exe, or win.exe.[227]
TeamTNT has replaced .dockerd and .dockerenv with their own scripts and cryptocurrency mining software.[228]
TEARDROP files had names that resembled legitimate Window file and directory names.[229][187]
ThiefQuest prepends a copy of itself to the beginning of an executable file while maintaining the name of the executable.[230][231]
ThreatNeedle chooses its payload creation path from a randomly selected service name from netsvc.[232]
TinyTurla has been deployed as w64time.dll to appear legitimate.[233]
ToddyCat has used the name debug.exe for malware components.[203]
TONESHELL has renamed malicious files to mimic legitimate file names and file extensions.[177] TONESHELL has also masqueraded as legitimate file names to include LogMeIn.dll.[234]
TRANSLATEXT has been named GoogleTranslate.crx to masquerade as a legitimate Chrome extension.[235]
Transparent Tribe can mimic legitimate Windows directories by using the same icons and names.[236]
Triton Safety Instrumented System Attack
In the Triton Safety Instrumented System Attack, TEMP.Veles renamed files to look like legitimate files, such as Windows update files or Schneider Electric application files.
Troll Stealer is typically installed via a dropper file that masquerades as a legitimate security program installation file.[237][87]
Tropic Trooper has hidden payloads in Flash directories and fake installer files.[238]
Tsundere Botnet has disguised its MSI installer as a fake installer for popular games and software.[239]
Turla has named components of LunarWeb to mimic Zabbix agent logs.[240]
Ursnif has used strings from legitimate system files and existing folders for its file, folder, and Registry entry names.[241]
USBStealer mimics a legitimate Russian program called USB Disk Security.[242]
Velvet Ant used a malicious DLL, iviewers.dll, that mimics the legitimate "OLE/COM Object Viewer" within Windows.[243]
VIRTUALPITA samples have been found in /usr/libexec/setconf/ksmd and /usr/bin/ksmd, named to spoof the legitimate Kernel Same-Page Merging Daemon binary. [244]
VOID MANTICORE has masqueraded malicious payloads to resemble legitimate applications.[245][246] VOID MANTICORE has leveraged malicious payloads that use nomenclature associated with common applications that include Pictory, KeePass, WhatsApp, and Telegram.[246]
Volt Typhoon has used legitimate looking filenames for compressed copies of the ntds.dit database and used names including cisco_up.exe, cl64.exe, vm3dservice.exe, watchdogd.exe, Win.exe, WmiPreSV.exe, and WmiPrvSE.exe for the Earthworm and Fast Reverse Proxy tools.[247][248][249]
Whitefly has named the malicious DLL the same name as DLLs belonging to legitimate software from various security vendors.[250]
A Winnti for Windows implant file was named ASPNET_FILTER.DLL, mimicking the legitimate ASP.NET ISAPI filter DLL with the same name.[251]
WIRTE has used security service provider naming conventions such as ESET and Kasperky ("Kaspersky Update Agent") in order to appear legitimate.[252][202]
XORIndex Loader has leveraged legitimate package names to mimic frequently utilized tools to entice victims to download and execute malicious payloads.[253]
ZLib mimics the resource version information of legitimate Realtek Semiconductor, Nvidia, or Synaptics modules.[138]