216.73.216.204

Latest Mustang Panda Arsenal: Toneshell, StarProxy, PAKLOG, CorKLOG, and SplatCloak

· Published 16/04/2025 20:35 · Modified 16/04/2025 21:06

Export JSON

Essential information

Published
16/04/2025 20:35
Modified
16/04/2025 21:06
Tags
2025-04-16 corklog paklog splatcloak starproxy toneshell windows
Related entities
23 observables, 1 intrusion sets (apt), 5 techniques (mitre), 5 malware, 3 others

Description

Mustang Panda, a threat actor group, has developed new tools including two keyloggers ( and ) and an EDR evasion driver (). monitors keystrokes and clipboard data, using a custom encoding scheme. captures keystrokes, encrypts data with RC4, and establishes persistence through services or scheduled tasks. disables kernel-level notification callbacks for Defender and Kaspersky drivers, employing obfuscation techniques like control flow flattening and mixed boolean arithmetic. Along with those tools, the group has been observed using updated versions of and a new tool called . , a backdoor, now features changes in its FakeTLS C2 communication protocol and client identifier storage methods. , a lateral movement tool, uses the FakeTLS protocol to proxy traffic and facilitate attacker communications.

External references