Software Impersonation Infrastructure

Coverage: T1036 Masquerading · T1583.001 Domains · T1608.001 Upload Malware  ·  Updated: 2026-03-22

Methodology: IOC-first pipeline. Records sourced from confirmed malicious payload reports (MalwareBazaar, ThreatFox, URLhaus) and infrastructure hunts (Shodan, URLScan). Every record has a confirmed payload hash. Delivery chains shown only when URLScan captured the redirect sequence — chain coverage is partial and expected to be incomplete.
Pipeline has not been run yet. Use the Streamlit app to collect data and export masq_infra.json.

Delivery Chains

Redirect sequences captured by URLScan at the moment of scanning. A chain shows the full path from initial URL through any redirectors to the lure page and payload download. Coverage is best-effort — only available when the URL was submitted to URLScan while the infrastructure was active.

No delivery chains observed yet. Chains are captured when URLScan scans a URL while the infrastructure is active.

Payloads

No payload data yet. Run the collection pipeline.

Campaigns

Only campaigns with a confirmed hard signal — shared favicon hash, shared IP address, shared payload hash, or matching certificate pattern — and confidence score ≥ 70 are shown. Clusters below this threshold are excluded. Hard signal requirement ensures every campaign has at least one infrastructure-level link between domains, not just temporal or hosting coincidence.
No campaigns identified yet. Campaigns require confirmed delivery records with shared infrastructure signals.

Infrastructure

No infrastructure data yet.

Samples

No samples yet. Run the collection pipeline.

Detection Chokepoints

Perfect visual impersonation neutralizes every user-facing trust signal. These chokepoints survive it because they operate at the execution layer — after the user has already been deceived and run the file.

TIER 1
PE OriginalFilename mismatch (T1036.005)

Alert when a process OriginalFilename from PE version resource does not match its running filename. Adversaries rename existing malicious binaries — they rarely recompile with matching resources.

detection:
  selection:
    Image|endswith:
      - '\7-Zip.exe'
      - '\VLC.exe'
      - '\DiscordSetup.exe'
      - '\NordVPN.exe'
      - '\ZoomInstaller.exe'
    CurrentDirectory|contains:
      - '\Downloads\'
      - '\AppData\Local\Temp\'
  filter_legit:
    OriginalFileName|contains:
      - '7-Zip'
      - 'VLC'
      - 'Discord'
      - 'NordVPN'
      - 'Zoom'
condition: selection and not filter_legit
TIER 1
Signed binary executing from user download path

A signed binary running from Downloads is more anomalous than an unsigned one in managed environments. Legitimate signed software is deployed via package manager or IT tooling, not user download directories.

detection:
  selection:
    ParentImage|contains:
      - '\chrome.exe'
      - '\msedge.exe'
      - '\firefox.exe'
    Image|endswith:
      - '\setup.exe'
      - '\installer.exe'
      - '\install.exe'
    CurrentDirectory|contains: '\Downloads\'
    Signed: 'true'
condition: selection
INFRA
Favicon hash pivoting for infrastructure clustering

From one confirmed fake domain: fetch favicon, compute Murmur3 hash, query Shodan. Campaigns reusing the same stolen favicon across dozens of domains surface immediately.

http.favicon.hash:-469815234
http.favicon.hash:991727625
http.favicon.hash:9732861
http.favicon.hash:-1899664115