T1036.006: Space after Filename
Adversaries can hide a program's true filetype by changing the extension of a file. With certain file types (specifically this does not work with .app extensions), appending a space to the end of a filename will change how the file is processed by the operating system.
For example, if there is a Mach-O executable file called evil.bin, when it is double clicked by a user, it will launch Terminal.app and execute. If this file is renamed to evil.txt, then when double clicked by a user, it will launch with the default text editing application (not executing the binary). However, if the file is renamed to evil.txt (note the space at the end), then when double clicked by a user, the true file type is determined by the OS and handled appropriately and the binary will be executed [1].
Adversaries can use this feature to trick users into double clicking benign-looking files of any format and ultimately executing something malicious.
Analyst context for executives and security teams
This technique matters because a file can be made to look harmless to a user while still being handled by Linux or macOS as executable content. For security leaders, the risk is not only malware execution; it is the gap between what a user sees, what file controls inspect, and what endpoint telemetry records. It is a small masquerading detail that can undermine user trust, help bypass weak review processes, and complicate incident triage.
Executive priority
Prioritize this where macOS or Linux endpoints are material to business operations, especially environments that rely on user judgment, file naming, or basic extension checks as a control. Leaders should ask whether endpoint monitoring, file handling policy, and user-facing security processes can identify suspicious filenames with trailing spaces, not just suspicious extensions. This is also useful audit evidence for endpoint hardening and SOC readiness: teams should be able to show how they detect or investigate deceptive file presentation on supported platforms.
Technical view
ATT&CK defines this as a Masquerading sub-technique under T1036 for Linux and macOS, with the supplied example focused on macOS file handling. SOC and IR teams should validate whether file creation, rename, quarantine, download, and execution telemetry preserves trailing whitespace in filenames. Detection engineering should align with the related ATT&CK detection strategy DET0292, while recognizing the object itself provides no official detection text. Investigation should compare displayed filename, actual filename, file type, executable format, launch/open events, parent process, and user interaction context.
Likely telemetry
- Endpoint file creation and rename events with exact filename preservation, including trailing spaces
- Process execution events showing executable path, parent process, user, and command context
- macOS file open or application launch activity where available
- File metadata and type identification, such as executable format versus apparent extension
- Download, email attachment, or removable media provenance where available
Detection direction
- Confirm logging pipelines do not trim or normalize trailing whitespace from filenames before storage, search, or alerting.
- Look for executable content whose apparent extension suggests a benign document or text file, especially when the filename ends with a space.
- Correlate file rename or creation shortly before user-driven execution or application launch.
- Tune carefully for legitimate filenames with unusual whitespace to reduce false positives; the suspicious condition is strongest when deceptive extension, executable file type, and execution/open behavior align.
- Use the parent Masquerading context to hunt for broader naming deception, not only this exact whitespace pattern.
Mitigation priorities
- Ensure endpoint controls and file inspection workflows evaluate actual file type and executable content, not only visible extension.
- Harden user download and attachment handling so deceptive filenames are inspected before execution.
- Preserve exact filenames in security telemetry and case evidence, including trailing spaces and other ambiguous characters.
- Train help desk, SOC, and IR staff to recognize filename presentation issues during triage on macOS and Linux systems.
- Include this condition in endpoint detection validation or purple-team test plans where macOS/Linux user execution risk is in scope.
Analyst notes and limits
This object is a sub-technique of Masquerading and has relationship context to APT38 and Keydnap, but those relationships should be used as historical context only unless local intelligence supports relevance. The strongest defender action is validating exact filename handling across endpoint telemetry, SIEM parsing, and investigation tooling. DET0292 is listed as a related detection strategy, but its details were not supplied here.
The ATT&CK object provides no official detection text and only limited platform-specific behavior detail. This take does not assert active exploitation, customer exposure, or guaranteed detection. Local endpoint configuration, OS version behavior, security tooling, and telemetry normalization determine practical detectability.
Space after Filename
Adversaries can hide a program's true filetype by changing the extension of a file. With certain file types (specifically this does not work with .app extensions), appending a space to the end of a filename will change how the file is processed by the operating system.
For example, if there is a Mach-O executable file called evil.bin, when it is double clicked by a user, it will launch Terminal.app and execute. If this file is renamed to evil.txt, then when double clicked by a user, it will launch with the default text editing application (not executing the binary). However, if the file is renamed to evil.txt (note the space at the end), then when double clicked by a user, the true file type is determined by the OS and handled appropriately and the binary will be executed [1].
Adversaries can use this feature to trick users into double clicking benign-looking files of any format and ultimately executing something malicious.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1036 | Masquerading | This object subtechnique of Masquerading. |
| Enterprise | T1151 | Space after Filename | Space after Filename revoked by this object. |
Groups, software, and campaigns
G0082: APT38
APT38 is a North Korean state-sponsored threat group that specializes in financial cyber operations; it has been attributed to the Reconnaissance General Bureau.[1] Active since at least 2014, APT38 has targeted banks, financial institutions, casinos, cryptocurrency exchanges, SWIFT system endpoints, and ATMs in at least 38 countries worldwide. Significant operations include the 2016 Bank of Bangladesh heist, during which APT38 stole $81 million, as well as attacks against Bancomext [2] and Banco de Chile [2]; some of their attacks have been destructive.[1][2][3][4]
North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.
S0276: Keydnap
This piece of malware steals the content of the user's keychain while maintaining a permanent backdoor [1].
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.0 | Current bundle | c2273308a5a7… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Mac Backdoors are back
Dan Goodin. (2016, July 6). After hiatus, in-the-wild Mac backdoors are suddenly back. Retrieved July 8, 2017.
Open source URL -
[2]
mitre-attack T1036.006Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.