How Attackers Use Extension Spoofing and How I Built a Tool to Stop Them
Published: (February 8, 2026 at 08:02 PM EST)
1 min read
Source: Dev.to
Source: Dev.to
What it does
- Monitors file creation/modification using inotify (Linux) or watchdog (Windows).
- Validates that a file’s extension matches its magic number (e.g.,
invoice.pdfis really a PDF). - Quarantines mismatched files automatically.
- Emits SIEM‑ready JSON logs compatible with Splunk, ELK, Wazuh, etc.
- Includes SHA‑256 hashing and user attribution.
Why I built this
Ransomware and other malware often evade detection by simply renaming executables (e.g., malware.exe → invoice.pdf). This tool provides real‑time validation to stop such extension spoofing.
Install
Linux
curl -sSL https://raw.githubusercontent.com/AnasRm01/file-validator/main/install.sh | sudo bashWindows
- Download
install-windows.batfrom the repository. - Run the batch file with administrative privileges.
Use cases
- Web server upload directories (e.g.,
/var/www/uploads) - Shared network drives
- Employee “Downloads” folders
- Compliance logging (PCI‑DSS requires file integrity monitoring)
Performance
- Memory usage: <10 MB RAM
- CPU impact: <1 %
- Event‑driven architecture (no continuous scanning loops)
- Tested on CentOS, Ubuntu, Windows 10/11
Source code
Open to feedback! What other file types should be added?