Process Doppelganging is a cyber attack that substitutes a legitimate process for malware in the Transactional NTFS file system. The attacker creates a copy of an executable file in the device memory and injects malicious code into it. Next, the cybercriminal uses undocumented Windows functions to load the compromised sample instead of a verified process, and then cancels the changes made.
As a result, the executable file on the hard disk remains uninfected, but in the device memory there is a malicious process under the guise of a legitimate task.