Cybersecurity News in Asia

RECENT STORIES:

SEGA moves faster with flow-based network monitoring
Survey recaps well-known cybersecurity hurdles for Operational Technol...
AI model o3 defies shutdown commands autonomously, with code tampering
ATxEnterprise 2025 Boosts Global Participation, Reinforces Singapore&#...
Will your organization’s defenses be breached due to your suppliers’ w...
Ransonware attack cripples computational software at the worst possibl...
LOGIN REGISTER
CybersecAsia
  • Conference 2025
  • Features
    • Featured

      Will your organization’s defenses be breached due to your suppliers’ weak cybersecurity?

      Will your organization’s defenses be breached due to your suppliers’ weak cybersecurity?

      Thursday, May 29, 2025, 5:04 PM Asia/Singapore | Features, Newsletter
    • Featured

      How the UAE proactively protects its digital economy

      How the UAE proactively protects its digital economy

      Monday, May 19, 2025, 2:16 PM Asia/Singapore | Features
    • Featured

      Navigating blockchain adoption amid rising security challenges

      Navigating blockchain adoption amid rising security challenges

      Wednesday, May 14, 2025, 12:32 PM Asia/Singapore | Features
  • Opinions
  • Tips
  • Whitepapers
  • Awards 2024
  • Directory
  • E-Learning

Select Page

LOGIN REGISTER
  • Conference 2025
  • Features
    • Featured

      Will your organization’s defenses be breached due to your suppliers’ weak cybersecurity?

      Will your organization’s defenses be breached due to your suppliers’ weak cybersecurity?

      Thursday, May 29, 2025, 5:04 PM Asia/Singapore | Features, Newsletter
    • Featured

      How the UAE proactively protects its digital economy

      How the UAE proactively protects its digital economy

      Monday, May 19, 2025, 2:16 PM Asia/Singapore | Features
    • Featured

      Navigating blockchain adoption amid rising security challenges

      Navigating blockchain adoption amid rising security challenges

      Wednesday, May 14, 2025, 12:32 PM Asia/Singapore | Features
  • Opinions
  • Tips
  • Whitepapers
  • Awards 2024
  • Directory
  • E-Learning
Tips

How to outsmart filename masquerading: A practical guide to safer file handling

By L L Seow | Monday, May 26, 2025, 5:46 PM Asia/Singapore

How to outsmart filename masquerading: A practical guide to safer file handling

An age-old cybercriminal tactic has been rejuvenated, thanks to popular AI platforms that generate sought-after images and video files for download.

A recent high-profile case had involved the impersonation of a popular generative AI (GenAI) platform that has millions of users. Using fake Facebook ads and a convincing spoof of the platform’s website, cybercriminals lured victims into downloading files that appeared to be images or videos generated by the GenAI prompts.

Such sought-after output by millions of users tends to lower people’s guard. They will not notice anomalies in the filename of such output, such as unusual glyphs (“…”) or double extensions (for example, “.doc.exe”). In actuality, depending on how Windows users set their File Explorer preferences, some filename anomalies may not even be visible! However, once the supposedly harmless image (*.jpg or *.png) or video (*.mp4) files are downloaded and opened, users will have launched a malicious Windows executable.

This devious technique is called “filename masquerading”. By leveraging popular platforms that by nature are expected to generate normally harmless files for users (such as images or videos), cybercriminals can fool even savvy users into downloading and executing malware.

Understanding how filename masquerading works — and how to spot it — can help users — even those on other less-vulnerable operating systems — from being tricked by filename masquerading.

Common filename masquerading techniques
The main idea is to mask executable files, macros and automation scripts with filenames that do not readily appear to the potential victim as such. Instead, the filenames are made to escape the attention of users, made to masquerade as image or video files that are opened in trusted editing software.

Some common techniques to mask dangerous executable files as less risky files include:

  1. Double extensions
    A classic trick is naming a file something like invoice.pdf.exe. If your system hides known file extensions (the default setting in Windows), you’ll only see invoice.pdf, not realizing it’s actually an executable program.
  2. Unicode Right-to-Left Override (RLO)
    Attackers can insert special Unicode characters (such as U+202E) into filenames, causing part of the name to be displayed in reverse order. For example, “photo_high_res\u202Egnp.js” will appear as “photo_high_resj.png”, masking the true nature of the file.
  3. Invisible Unicode characters
    Characters such as the Hangul Filler (U+3164) can be used to pad a filename, pushing the real extension out of view. For instance, a file named “Generated_Image_2025.jpg[U+3164 x50].exe” can appear as just “Generated_Image_2025.jpg” in Windows.
  4. Spaces and special characters
    Adding spaces or special symbols at the end of a filename can hide the true extension or make the file look more legitimate. Use of spaces or special Unicode fillers can push the real extension out of view on certain Windows device configurations.
  5. Legitimate-looking icons and names
    Malicious files may be set to make the operating system display a certain icon — such as a standard image icon — that is familiar and safe to users.
  6. File signature spoofing
    Beyond masking risky filename extensions, cybercriminals can even copy digital signatures from legitimate files into a malware executable to make it appear to the operating system as an authentic and verified executable system file. This technique can evade system alerts or detection by any installed third-party cybersecurity software.
  7. File header masquerading
    In this case, even a malicious file’s internal structure is changed to make the executable match the profile of a harmless image file, for example. This can fool certain system processes or cybersecurity software that routinely monitor incoming files.

The MITRE ATT&CK framework has cataloged masquerading as a standard adversary tactic (T1036), with sub-techniques such as double file extension (T1036.007), RLO (T1036.002), and matching legitimate names or locations (T1036.005). Numerous real-world malware families and threat groups have used these methods, from spear-phishing attachments to advanced persistent threat campaigns.

Protective and prevention measures

Filename masquerading is a powerful tool in the cybercriminal’s arsenal, but with a little vigilance and the right settings, Windows users (and even those running the more-secure operating systems) can protect themselves and others around them.

Always set Windows file browser tools to show file extensions, be wary of suspicious files/filenames, and keep software up to date:

  • Enable file extension visibility: Make this the default setting on all Windows devices.
  • Use reliable cybersecurity software: Modern security solutions can detect many masquerading tricks. However, do not rely only on such tools alone
  • Keep your system updated: Install Windows security updates and application updates in a prompt manner, to quickly patch vulnerabilities that attackers could exploit.
  • Be skeptical: If something feels off — a very long file name, an unexpected attachment, or a download from a new website — trust your instincts and investigate before opening a file.
  • Educate others: Share this knowledge with friends, family, and colleagues. The more people know about these tricks, the less effective they become. If anything is amiss with a file, the first thing to do is to quarantine it instead of double-clicking on it. Scan it with a cybersecurity tool. Report it to the IT team. A more risky option could involve physically renaming the file to a short name with a harmless extension for the type of file it is supposed to be. If opening that supposed image file in a photo viewer app does not work, then the original filename could have been a masqueraded one.

If all protective measures fail, and a file that has been launched does not appear to be what it is supposed to be, immediate measures to take are: Disconnect from the Internet, and shut the device down immediately. Report the incident to IT without delay.

Share:

PreviousSophisticated crypto theft operation exploits phishing, smart contracts to steal millions
NextKnow the four most common password mistakes

Related Posts

Struggling to stay cyber safe: The MSME situation in India

Struggling to stay cyber safe: The MSME situation in India

Wednesday, July 3, 2024

Towards holistic cybersecurity: the platform-based approach

Towards holistic cybersecurity: the platform-based approach

Thursday, February 15, 2024

Planning for cybersecurity on a shoe-string budget

Planning for cybersecurity on a shoe-string budget

Tuesday, October 1, 2019

Increased deployment of Office 365 led to increased account takeover incidents

Increased deployment of Office 365 led to increased account takeover incidents

Friday, March 19, 2021

Leave a reply Cancel reply

You must be logged in to post a comment.

Voters-draw/RCA-Sponsors

Slide
Slide
Slide
Slide
Slide
Slide
Slide
Slide
Slide
Slide
Slide
Slide
Slide
Slide
Slide
Slide
Slide
previous arrow
next arrow

CybersecAsia Voting Placement

Gamification listing or Participate Now

PARTICIPATE NOW

Vote Now -Placement(Google Ads)

Top-Sidebar-banner

Whitepapers

  • 2024 Insider Threat Report: Trends, Challenges, and Solutions

    2024 Insider Threat Report: Trends, Challenges, and Solutions

    Insider threats continue to be a major cybersecurity risk in 2024. Explore more insights on …Download Whitepaper
  • AI-Powered Cyber Ops: Redefining Cloud Security for 2025

    AI-Powered Cyber Ops: Redefining Cloud Security for 2025

    The future of cybersecurity is a perfect storm: AI-driven attacks, cloud expansion, and the convergence …Download Whitepaper
  • Data Management in the Age of Cloud and AI

    Data Management in the Age of Cloud and AI

    In today’s Asia Pacific business environment, organizations are leaning on hybrid multi-cloud infrastructures and advanced …Download Whitepaper
  • Mitigating Ransomware Risks with GRC Automation

    Mitigating Ransomware Risks with GRC Automation

    In today’s landscape, ransomware attacks pose significant threats to organizations of all sizes, with increasing …Download Whitepaper

Middle-sidebar-banner

Case Studies

  • St Luke’s ElderCare enhances operations and capabilities through a centralized secure, scalable network

    St Luke’s ElderCare enhances operations and capabilities through a centralized secure, scalable network

    With only a small IT team, the digital transformation has united operations across 30 locations, …Read more
  • Automating border control and security with facial recognition technology

    Automating border control and security with facial recognition technology

    Indonesia Immigration & Seaport Authorities enhances security and speeds up border control queues at Batam …Read more
  • Securing wealth advisory services without unnecessary friction: Endowus

    Securing wealth advisory services without unnecessary friction: Endowus

    The wealth advisory platform demonstrates its non-negotiable commitment to a robust security posture through partnering …Read more
  • LifeTech group sets up next-gen security operations center in Malaysia

    LifeTech group sets up next-gen security operations center in Malaysia

    By partnering with a unified cybersecurity platform, the firm will be offering cost-effective advanced SOC …Read more

Bottom sidebar

  • Our Brands
  • DigiconAsia
  • MartechAsia
  • Home
  • About Us
  • Contact Us
  • Sitemap
  • Privacy & Cookies
  • Terms of Use
  • Advertising & Reprint Policy
  • Media Kit
  • Subscribe
  • Manage Subscriptions
  • Newsletter

Copyright © 2025 CybersecAsia All Rights Reserved.