logo
SlackReddit

T1036.008

Masquerading: Masquerade File Type

Description from ATT&CK

Adversaries may masquerade malicious payloads as legitimate files through changes to the payload's formatting, including the file’s signature, extension, icon, and contents. Various file types have a typical standard format, including how they are encoded and organized. For example, a file’s signature (also known as header or magic bytes) is the beginning bytes of a file and is often used to identify the file’s type. For example, the header of a JPEG file, is 0xFF 0xD8 and the file extension is either .JPE, .JPEG or .JPG.

Adversaries may edit the header’s hex code and/or the file extension of a malicious payload in order to bypass file validation checks and/or input sanitization. This behavior is commonly used when payload files are transferred (e.g., Ingress Tool Transfer) and stored (e.g., Upload Malware) so that adversaries may move their malware without triggering detections.

Common non-executable file types and extensions, such as text files (.txt) and image files (.jpg, .gif, etc.) may be typically treated as benign. Based on this, adversaries may use a file extension to disguise malware, such as naming a PHP backdoor code with a file name of test.gif. A user may not know that a file is malicious due to the benign appearance and file extension.

Polyglot files, which are files that have multiple different file types and that function differently based on the application that will execute them, may also be used to disguise malicious malware and capabilities.(Citation: polygot_icedID)

Source

Atomic Tests

Atomic Test #1: Linux File Type Masquerading via Extension Change

Executes a shell script that has been disguised with a harmless image extension (.png).

Supported Platforms: Linux

auto_generated_guid: 1214f818-673b-4494-9fbd-99af0e185866

Attack Commands: Run with sh!

echo '#!/bin/sh' > /tmp/image.png
echo 'echo "Running script masked as PNG"' >> /tmp/image.png
sh /tmp/image.png

Cleanup Commands

rm -f /tmp/image.png

Atomic test(s) for this technique last updated: 2026-07-13 17:14:45 UTC

On this page