T1036.005

Masquerading: Match Legitimate Name or Location

discovered 2026-06-17

Payload written under random filenames masquerading as msedge_update / chrome_installer / dotnet_host / onedrive_setup / teams_update + hex + .exe; download requests use UA Microsoft-Delivery-Optimization/10.0.

View on MITRE ATT&CK

Seen in packages

npm procwireuses

Campaigns

procwire / deltajohnsons Windows Dropperattributed-to