An age-old cybercriminal tactic has been rejuvenated, thanks to popular AI platforms that generate sought-after images and video files for download.
A recent high-profile case had involved the impersonation of a popular generative AI (GenAI) platform that has millions of users. Using fake Facebook ads and a convincing spoof of the platform’s website, cybercriminals lured victims into downloading files that appeared to be images or videos generated by the GenAI prompts.
Such sought-after output by millions of users tends to lower people’s guard. They will not notice anomalies in the filename of such output, such as unusual glyphs (“…”) or double extensions (for example, “.doc.exe”). In actuality, depending on how Windows users set their File Explorer preferences, some filename anomalies may not even be visible! However, once the supposedly harmless image (*.jpg or *.png) or video (*.mp4) files are downloaded and opened, users will have launched a malicious Windows executable.
This devious technique is called “filename masquerading”. By leveraging popular platforms that by nature are expected to generate normally harmless files for users (such as images or videos), cybercriminals can fool even savvy users into downloading and executing malware.
Understanding how filename masquerading works — and how to spot it — can help users — even those on other less-vulnerable operating systems — from being tricked by filename masquerading.
Common filename masquerading techniques
The main idea is to mask executable files, macros and automation scripts with filenames that do not readily appear to the potential victim as such. Instead, the filenames are made to escape the attention of users, made to masquerade as image or video files that are opened in trusted editing software.
Some common techniques to mask dangerous executable files as less risky files include:
- Double extensions
A classic trick is naming a file something like invoice.pdf.exe. If your system hides known file extensions (the default setting in Windows), you’ll only see invoice.pdf, not realizing it’s actually an executable program. - Unicode Right-to-Left Override (RLO)
Attackers can insert special Unicode characters (such as U+202E) into filenames, causing part of the name to be displayed in reverse order. For example, “photo_high_res\u202Egnp.js” will appear as “photo_high_resj.png”, masking the true nature of the file. - Invisible Unicode characters
Characters such as the Hangul Filler (U+3164) can be used to pad a filename, pushing the real extension out of view. For instance, a file named “Generated_Image_2025.jpg[U+3164 x50].exe” can appear as just “Generated_Image_2025.jpg” in Windows. - Spaces and special characters
Adding spaces or special symbols at the end of a filename can hide the true extension or make the file look more legitimate. Use of spaces or special Unicode fillers can push the real extension out of view on certain Windows device configurations. - Legitimate-looking icons and names
Malicious files may be set to make the operating system display a certain icon — such as a standard image icon — that is familiar and safe to users. - File signature spoofing
Beyond masking risky filename extensions, cybercriminals can even copy digital signatures from legitimate files into a malware executable to make it appear to the operating system as an authentic and verified executable system file. This technique can evade system alerts or detection by any installed third-party cybersecurity software. - File header masquerading
In this case, even a malicious file’s internal structure is changed to make the executable match the profile of a harmless image file, for example. This can fool certain system processes or cybersecurity software that routinely monitor incoming files.
The MITRE ATT&CK framework has cataloged masquerading as a standard adversary tactic (T1036), with sub-techniques such as double file extension (T1036.007), RLO (T1036.002), and matching legitimate names or locations (T1036.005). Numerous real-world malware families and threat groups have used these methods, from spear-phishing attachments to advanced persistent threat campaigns.
Protective and prevention measures
Filename masquerading is a powerful tool in the cybercriminal’s arsenal, but with a little vigilance and the right settings, Windows users (and even those running the more-secure operating systems) can protect themselves and others around them.
Always set Windows file browser tools to show file extensions, be wary of suspicious files/filenames, and keep software up to date:
- Enable file extension visibility: Make this the default setting on all Windows devices.
- Use reliable cybersecurity software: Modern security solutions can detect many masquerading tricks. However, do not rely only on such tools alone
- Keep your system updated: Install Windows security updates and application updates in a prompt manner, to quickly patch vulnerabilities that attackers could exploit.
- Be skeptical: If something feels off — a very long file name, an unexpected attachment, or a download from a new website — trust your instincts and investigate before opening a file.
- Educate others: Share this knowledge with friends, family, and colleagues. The more people know about these tricks, the less effective they become. If anything is amiss with a file, the first thing to do is to quarantine it instead of double-clicking on it. Scan it with a cybersecurity tool. Report it to the IT team. A more risky option could involve physically renaming the file to a short name with a harmless extension for the type of file it is supposed to be. If opening that supposed image file in a photo viewer app does not work, then the original filename could have been a masqueraded one.
If all protective measures fail, and a file that has been launched does not appear to be what it is supposed to be, immediate measures to take are: Disconnect from the Internet, and shut the device down immediately. Report the incident to IT without delay.
