Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1036.007: Double File Extension

Adversaries may abuse a double extension in the filename as a means of masquerading the true file type. A file name may include a secondary file type extension that may cause only the first extension to be displayed (ex: File.txt.exe may render in some views as just File.txt). However, the second extension is the true file type that determines how the file is opened and executed. The real file extension may be hidden by the operating system in the file browser (ex: explorer.exe), as well as in any software configured using or similar to the system’s policies.[1][2]

Adversaries may abuse double extensions to attempt to conceal dangerous file types of payloads. A very common usage involves tricking a user into opening what they think is a benign file type but is actually executable code. Such files often pose as email attachments and allow an adversary to gain Initial Access into a user’s system via Spearphishing Attachment then User Execution. For example, an executable file attachment named Evil.txt.exe may display as Evil.txt to a user. The user may then view it as a benign text file and open it, inadvertently executing the hidden malware.[2]

Common file types, such as text files (.txt, .doc, etc.) and image files (.jpg, .gif, etc.) are typically used as the first extension to appear benign. Executable extensions commonly regarded as dangerous, such as .exe, .lnk, .hta, and .scr, often appear as the second extension and true file type.

EnterpriseT1036.007Sub-techniqueObject v2.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Double File Extension matters because it turns a familiar Windows usability issue into a business risk: a user may see a file that appears to be a document or image while Windows actually treats it as executable content. This is especially relevant to phishing-driven initial access and user execution scenarios described by ATT&CK, where the decision point is often whether employees, email controls, endpoint controls, and SOC telemetry can distinguish the displayed name from the true file type.

Executive priority

Prioritize this as a low-complexity masquerading behavior that can undermine security awareness, attachment handling, and incident triage. Leaders should ask whether Windows endpoint configuration, user training, email attachment review, and SOC evidence can prove the organization can identify files such as benign-looking .txt/.doc/.jpg names that actually end in executable extensions such as .exe, .lnk, .hta, or .scr. This is also useful audit evidence for phishing readiness and endpoint hardening programs.

Technical view

This is a Windows sub-technique of Masquerading under the stealth tactic. ATT&CK provides no official detection text, but the relationship to DET0366 indicates a detection strategy exists for double file extension masquerading. SOC and detection teams should validate filename parsing across email, endpoint, and investigation tools: the full filename, displayed filename, final extension, file type, and execution behavior should be visible and searchable. IR teams should treat user-opened attachments with double extensions as suspicious until the true file type and execution chain are confirmed.

Likely telemetry

  • Email attachment metadata, including full original filename and extension sequence
  • Endpoint file creation and download events on Windows systems
  • Process execution telemetry showing the executed file path and true executable extension
  • EDR or host inventory records that preserve full filenames rather than truncated or display-friendly names
  • User interaction context where available, such as opening an attachment from a mail client or file browser

Detection direction

  • Validate that detection logic evaluates the last extension as the effective file type, not only the first visible extension.
  • Tune for common benign-looking first extensions such as document, text, or image extensions followed by executable-oriented extensions identified by ATT&CK, including .exe, .lnk, .hta, and .scr.
  • Check whether email, EDR, SIEM, and case-management views preserve the complete filename; display truncation is a material blind spot for this technique.
  • Correlate suspicious double-extension files with user execution and attachment delivery context where available, because ATT&CK describes common use through spearphishing attachment and user execution patterns.
  • Account for false positives from legitimate files that contain multiple periods or compound naming conventions; prioritize cases where the final extension is executable or script-like.

Mitigation priorities

  • Apply Operating System Configuration controls that reduce misleading file presentation on Windows systems and support accurate user and analyst visibility of true file types.
  • Use User Training to teach employees and contractors to recognize and report attachments where the visible name does not match the true file type, especially document or image lures ending in executable extensions.
  • Ensure phishing-readiness exercises and awareness material include double-extension examples without relying on users as the only control.
  • Confirm incident response playbooks include rapid triage of suspicious attachments, full filename capture, and endpoint execution review.
Analyst notes and limits

The strongest defensive value is not merely blocking a string pattern; it is ensuring the organization can see the full filename consistently from delivery through execution. The related use by Kimsuky, Mustang Panda, Bazar, Milan, and DarkGate shows this behavior appears in ATT&CK reporting across groups and software, but local prioritization should be based on the organization’s Windows exposure, attachment workflows, and telemetry quality.

ATT&CK provides no official detection procedure for this object in the supplied fields. The object is scoped to Windows, and the mitigation relationships are general User Training and Operating System Configuration. Any claim of coverage requires local validation against actual email, endpoint, and SIEM data.

Official MITRE ATT&CK definition

Double File Extension

Adversaries may abuse a double extension in the filename as a means of masquerading the true file type. A file name may include a secondary file type extension that may cause only the first extension to be displayed (ex: File.txt.exe may render in some views as just File.txt). However, the second extension is the true file type that determines how the file is opened and executed. The real file extension may be hidden by the operating system in the file browser (ex: explorer.exe), as well as in any software configured using or similar to the system’s policies.[1][2]

Adversaries may abuse double extensions to attempt to conceal dangerous file types of payloads. A very common usage involves tricking a user into opening what they think is a benign file type but is actually executable code. Such files often pose as email attachments and allow an adversary to gain Initial Access into a user’s system via Spearphishing Attachment then User Execution. For example, an executable file attachment named Evil.txt.exe may display as Evil.txt to a user. The user may then view it as a benign text file and open it, inadvertently executing the hidden malware.[2]

Common file types, such as text files (.txt, .doc, etc.) and image files (.jpg, .gif, etc.) are typically used as the first extension to appear benign. Executable extensions commonly regarded as dangerous, such as .exe, .lnk, .hta, and .scr, often appear as the second extension and true file type.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1036 Masquerading This object subtechnique of Masquerading.
Associated objects

Groups, software, and campaigns

Group Enterprise

G0094: Kimsuky

Kimsuky is a Democratic People's Republic of Korea (DPRK)-based cyber espionage group that has been active since at least 2012. The group initially targeted South Korean government agencies, think tanks, and subject-matter experts in various fields. Its operations expanded to include the United Nations and organizations in the government, education, business services, and manufacturing sectors across the United States, Japan, Russia, and Europe. Kimsuky has focused collection on foreign policy and national security issues tied to the Korean Peninsula, nuclear policy, and sanctions. Kimsuky operations have overlapped with those of other North Korean state-sponsored cyber espionage actors as a result of ad hoc collaborations or other limited resource sharing.[1][2][3][4][5][6]

Kimsuky was assessed to be responsible for the 2014 Korea Hydro & Nuclear Power Co. compromise; other notable campaigns include Operation STOLEN PENCIL (2018), Operation Kabar Cobra (2019), and Operation Smoke Screen (2019).[7][8][9] In 2023, Kimsuky was observed using commercial large language models (LLMs) to assist with vulnerability research, scripting, social engineering and reconnaissance.[10]

DPRK threat actor cluster boundaries overlap in open source reporting, with some security researchers consolidating all attributed North Korean state-sponsored cyber activity under Lazarus Group, rather than tracking operationally distinct subgroups.

Group Enterprise

G0129: Mustang Panda

Mustang Panda is a China-based cyber espionage threat actor that has been conducting operations since at least 2012. Mustang Panda has been known to use tailored phishing lures and decoy documents to deliver malicious payloads. Mustang Panda has targeted government, diplomatic, and non-governmental organizations, including think tanks, religious institutions, and research entities, across the United States, Europe, and Asia, with notable activity in Russia, Mongolia, Myanmar, Pakistan, and Vietnam. [1][2][3][4][5][6][7][8][9][10][11][12][13]

Malware Enterprise

S1111: DarkGate

DarkGate first emerged in 2018 and has evolved into an initial access and data gathering tool associated with various criminal cyber operations. Written in Delphi and named "DarkGate" by its author, DarkGate is associated with credential theft, cryptomining, cryptotheft, and pre-ransomware actions.[1] DarkGate use increased significantly starting in 2022 and is under active development by its author, who provides it as a Malware-as-a-Service offering.[2]

Windows
Malware Enterprise

S0534: Bazar

Bazar is a downloader and backdoor that has been used since at least April 2020, with infections primarily against professional services, healthcare, manufacturing, IT, logistics and travel companies across the US and Europe. Bazar reportedly has ties to TrickBot campaigns and can be used to deploy additional malware, including ransomware, and to steal sensitive data.[1]

Windows
Relationship explorer

All related ATT&CK context

uses · Malware S1111: DarkGate Enterprise subtechnique of · Technique T1036: Masquerading Enterprise mitigates · Mitigation M1017: User Training Enterprise detects · Detection Strategy DET0366: Detection Strategy for Double File Extension Masquerading Enterprise mitigates · Mitigation M1028: Operating System Configuration Enterprise uses · Malware S0534: Bazar Enterprise uses · Group G0094: Kimsuky Enterprise uses · Group G0129: Mustang Panda Enterprise uses · Malware S1015: Milan Enterprise
Mitigations

Mitigation direction

Mitigation Enterprise

M1017: User Training

User Training involves educating employees and contractors on recognizing, reporting, and preventing cyber threats that rely on human interaction, such as phishing, social engineering, and other manipulative techniques. Comprehensive training programs create a human firewall by empowering users to be an active component of the organization's cybersecurity defenses. This mitigation can be implemented through the following measures:

Create Comprehensive Training Programs:

- Design training modules tailored to the organization's risk profile, covering topics such as phishing, password management, and incident reporting. - Provide role-specific training for high-risk employees, such as helpdesk staff or executives.

Use Simulated Exercises:

- Conduct phishing simulations to measure user susceptibility and provide targeted follow-up training. - Run social engineering drills to evaluate employee responses and reinforce protocols.

Leverage Gamification and Engagement:

- Introduce interactive learning methods such as quizzes, gamified challenges, and rewards for successful detection and reporting of threats.

Incorporate Security Policies into Onboarding:

- Include cybersecurity training as part of the onboarding process for new employees. - Provide easy-to-understand materials outlining acceptable use policies and reporting procedures.

Regular Refresher Courses:

- Update training materials to include emerging threats and techniques used by adversaries. - Ensure all employees complete periodic refresher courses to stay informed.

Emphasize Real-World Scenarios:

- Use case studies of recent attacks to demonstrate the consequences of successful phishing or social engineering. - Discuss how specific employee actions can prevent or mitigate such attacks.

Mitigation Enterprise

M1028: Operating System Configuration

Operating System Configuration involves adjusting system settings and hardening the default configurations of an operating system (OS) to mitigate adversary exploitation and prevent abuse of system functionality. Proper OS configurations address security vulnerabilities, limit attack surfaces, and ensure robust defense against a wide range of techniques. This mitigation can be implemented through the following measures:

Disable Unused Features:

- Turn off SMBv1, LLMNR, and NetBIOS where not needed. - Disable remote registry and unnecessary services.

Enforce OS-level Protections:

- Enable Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR), and Control Flow Guard (CFG) on Windows. - Use AppArmor or SELinux on Linux for mandatory access controls.

Secure Access Settings:

- Enable User Account Control (UAC) for Windows. - Restrict root/sudo access on Linux/macOS and enforce strong permissions using sudoers files.

File System Hardening:

- Implement least-privilege access for critical files and system directories. - Audit permissions regularly using tools like icacls (Windows) or getfacl/chmod (Linux/macOS).

Secure Remote Access:

- Restrict RDP, SSH, and VNC to authorized IPs using firewall rules. - Enable NLA for RDP and enforce strong password/lockout policies.

Harden Boot Configurations:

- Enable Secure Boot and enforce UEFI/BIOS password protection. - Use BitLocker or LUKS to encrypt boot drives.

Regular Audits:

- Periodically audit OS configurations using tools like CIS Benchmarks or SCAP tools.

*Tools for Implementation*

Windows:

- Microsoft Group Policy Objects (GPO): Centrally enforce OS security settings. - Windows Defender Exploit Guard: Built-in OS protection against exploits. - CIS-CAT Pro: Audit Windows security configurations based on CIS Benchmarks.

Linux/macOS:

- AppArmor/SELinux: Enforce mandatory access controls. - Lynis: Perform comprehensive security audits. - SCAP Security Guide: Automate configuration hardening using Security Content Automation Protocol.

Cross-Platform:

- Ansible or Chef/Puppet: Automate configuration hardening at scale. - OpenSCAP: Perform compliance and configuration checks.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
2.0
Created
Modified
Raw hash
8759ecd76071af5b...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 2.0 Current bundle 8759ecd76071…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    PCMag DoubleExtension

    PCMag. (n.d.). Encyclopedia: double extension. Retrieved August 4, 2021.

    Open source URL
  2. [2]
    SOCPrime DoubleExtension

    Eugene Tkachenko. (2020, May 1). Rule of the Week: Possible Malicious File Double Extension. Retrieved July 27, 2021.

    Open source URL
  3. [3]
    mitre-attack T1036.007
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use