T1036.005Match Legitimate Resource Name or Location
T1036.005 — Match Legitimate Resource Name or Location is a MITRE ATT&CK technique in the Defense Evasion tactic. Clankerusecase tracks 62 detection use cases covering it and 48 threat-intel articles citing it.
Defense Evasion
62Use cases
48Articles
0Sub-techniques
1Tactic
↑ Parent technique: T1036 · Masquerading
Use cases covering this technique (62)
Attacker Tools On Endpoint Windows LOLBAS Executed Outside Expected Path Windows MSC EvilTwin Directory Path Manipulation Windows Process Execution From ProgramData Windows Process Execution in Temp Dir Windows Suspicious Process File Path [LLM] SOCKS5 proxy masquerading as 'smbd -D' from non-Samba install path [LLM] First-seen pam_unix.so / sshd / ssh binary hash in Linux fleet [LLM] MeshCentral agent disguised as Microsoft Azure binary calling azurenetfiles.net [LLM] Talos prevalent malware filename pattern — VID001.exe and d4aa3e70..._N_Exe.exe [LLM] Execution or drop of fake AI-platform installer (DeepSeek/Manus/Seedance/GPT-5.5/Kimi) [LLM] Bun runtime download to /tmp from a node process during npm install [LLM] Orphaned process (ppid=1) executing from /tmp hidden hex path (post-dropper stage-2) [LLM] payload.bin written under node_modules by node process [LLM] axios RAT Windows persistence: %PROGRAMDATA%\wt.exe drop + %TEMP%\6202033.vbs/.ps1 staging [LLM] DNS/HTTPS exfil to sentry.anyclaw.store (Codex token C2 masquerading as Sentry) [LLM] DebugChromium.exe execution (Laravel-Lang stealer Windows artifact) [LLM] Stealer or VBS launcher dropped into .laravel_locale temp directory [LLM] Screening Serpens recruitment lure — Hiring Portal.zip + job requisition PDFs [LLM] BadIIS rogue native module drop in IIS folders (demo.pdb / Chinese path heuristic) [LLM] Python backdoor self-daemonisation via __DAEMONIZED=1 spawned by VS Code helper or node [LLM] TeamPCP rope.pyz Dropper Infection Markers on Linux [LLM] Drop of /tmp/transformers.pyz on Linux endpoint [LLM] AdaptixC2 'systemd-resolved' or Sliver 'CWan' implant on Linux / SD-WAN host [LLM] FrostyNeighbor PicassoLoader drop to %AppData%\WinDataScope\Update.js [LLM] FrostyNeighbor Cobalt Strike beacon ViberPC.dll image load [LLM] Hidden .fullgc cryptominer binary written to /ql/data/db/ [LLM] Qinglong .fullgc cryptominer execution with nohup backgrounding [LLM] whisper.dll loaded / svchost.exe spawned outside services.exe (GopherWhisper JabGopher injection) [LLM] Stage-2 implant masquerading as node-health-check daemon (/tmp/.kh, /tmp/.ns) [LLM] launchctl persistence registering zsh.profiler service from non-admin location [LLM] macOS file write of profiler binary to com.apple.Terminal masquerade path [LLM] plain-crypto-js setup.js self-deletion or package.json overwrite (anti-forensics) [LLM] IoliteLabs Stage-2 regsvr32 LOLbin loading ntuser DLL from fake Chrome\ChromeUpdate path [LLM] msbuild.exe dropped to Startup folder (TeamPCP telnyx Windows persistence) [LLM] Linux user-systemd sysmon persistence drop (~/.config/sysmon/sysmon.py + sysmon.service) [LLM] PowerShell masquerading as Windows Terminal at %PROGRAMDATA%\wt.exe (Axios RAT Windows stage) [LLM] axios RAT artifact dropped: com.apple.act.mond / wt.exe / ld.py with known SHA256 [LLM] PowerShell copy masqueraded as Windows Terminal in %PROGRAMDATA% running 6202033.ps1 [LLM] TeamPCP msbuild.exe persistence in user Startup folder [LLM] CanisterWorm persistence: pglog/pg_state/internal-monitor systemd unit and /tmp/pglog drop [LLM] GlassWorm Stage-3a UpdateLedger Run-key persistence pointing at %TEMP%\SKuyzYcDD.exe [LLM] GlassWorm Stage-3a Ledger impersonator binary execution (SHA256 06fab21d / SKuyzYcDD.exe) [LLM] Glassworm side-staged Node.js runtime under %APPDATA%\_node_x86 / _node_x64 [LLM] SlimAgent / BeardShell DLL load with implant filename outside System32 [LLM] PlugX DLL side-load — G DATA Avk.exe running from C:\Users\Public\GDatas\ [LLM] Scavenger loader/install.js dropped into node_modules (known SHA256 or filename match) [LLM] DynoWiper schtask.exe / *_update.exe execution from C:\inetpub\pub\ [LLM] Weaponised ScreenConnect install path with attacker instance GUID 083e4d30c7ea44f7 [LLM] DynoWiper deployment from shared inetpub\pub directory (Sandworm, Poland Dec 2025) [LLM] G_Wagon Python runtime drop into npm cache with lib_core/renderer or python_runtime paths [LLM] NosyDoor AppDomainManager hijack: UevAppMonitor.exe executing from non-standard path [LLM] NosyDoor persistence: scheduled task 'OneDrive Reporting Task-S-1-5-21-' under Microsoft folder [LLM] NosyDoor dropper file artefacts in C:\Windows\Microsoft.NET\Framework [LLM] MuddyWater Fooder loader (OsUpdater.exe) execution from Downloads [LLM] LittleDaemon / DaemonicLogistics update-hijack URL pattern (popup_4.2.0.2246.dll, /update/updateInfo.bzp, /update/file6.bdat, /update/file2. [LLM] DaemonicLogistics fake-Tencent payload drop (logo.gif at %PROGRAMDATA%\Tencent\QQUpdateMgr\UpdateFiles) [LLM] ESET-impersonating typosquat domain contact (InedibleOchotense / Kalambur delivery) [LLM] Python interpreter executed from %TEMP% / Public — RomCom DLL side-load chain (CVE-2025-8088) [LLM] DreamJob trojanized PDF/installer execution from job-lure decoy folder [LLM] GhostAction GitHub workflow secret-enumeration commit pattern [LLM] Polyfill malware C2: contact with googie-anaiytics homograph or kuurza redirectArticles citing this technique (48)
crit ShinyHunters Exploits Oracle PeopleSoft Zero-Day (CVE-2026-35273) to Breach Universities art-37
high A tale of two eras art-40
crit The AntV Supply Chain Campaign Expands: Microsoft's `durabletask` PyPI Package Compromised art-248