{ "id": "d44c32c0-05ff-47ff-b099-6515ea2b748e", "created_at": "2026-04-06T00:09:25.186376Z", "updated_at": "2026-04-10T03:36:33.477427Z", "deleted_at": null, "sha1_hash": "bd27ca83cc69535d856a5af8db9e8bf003eb26a1", "title": "Mustang Panda: PAKLOG, CorKLOG, and SplatCloak | ThreatLabz", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 521398, "plain_text": "Mustang Panda: PAKLOG, CorKLOG, and SplatCloak |\r\nThreatLabz\r\nBy Sudeep Singh, ThreatLabz\r\nPublished: 2025-04-16 · Archived: 2026-04-05 13:23:37 UTC\r\nTechnical Analysis \r\nThe technical analysis in this section focuses on the keyloggers, PAKLOG and CorKLOG, along with SplatCloak.\r\nBoth PAKLOG and CorKLOG are straightforward keyloggers, but CorKLOG includes persistence mechanisms.\r\nAdditionally, both keyloggers obfuscate log files to conceal their activity. SplatCloak, deployed by SplatDropper,\r\nis a Windows kernel driver designed to disable EDR-related routines implemented by Windows Defender and\r\nKaspersky, enabling it to evade detection.\r\nPAKLOG\r\nPaklog is a keylogger that utilizes high-level Windows APIs to capture keystrokes and monitor clipboard activity.\r\nThe keylogger then encodes this data and writes it to a local file. Paklog lacks built-in exfiltration capabilities,\r\nsuggesting that Mustang Panda mainly uses it to collect data and leverages other methods for data exfiltration.\r\nPaklog is deployed via a RAR archive (e.g.,  key.rar ), which contains two files: a signed, legitimate binary\r\n( PACLOUD.exe ) and the malicious Paklog DLL ( pa_lang2.dll ). The  PACLOUD.exe binary is used to sideload\r\nthe Paklog DLL which starts the keylogger functionality. The sections below provide more information about\r\nPaklog.\r\nThe Paklog DLL ( pa_lang2.dll ) includes a malicious export function named ASH_LANG2_add, which\r\nperforms the following actions:\r\nKeylogging Setup: Utilizes the SetWindowsHookExW API, with  idHook set to  WH_KEYBOARD_LL , and a\r\ncustom hook procedure.\r\nData Logging: The custom hook procedure tracks keystrokes within the foreground window and logs the\r\ninformation in the following format:\r\ntimestamp: The precise time the key was pressed, formatted as  %Y-%m-%d %H:%M:%S .\r\nwindow_text: The text of the foreground window.\r\nprocess_full_path: The full path of the process active in the foreground.\r\n \r\nKey Mapping: Each key's virtual code is mapped to a specific string that represents the corresponding key\r\npressed by the user.\r\nIn addition to keylogging, Paklog can be used to monitor clipboard activity and extract its contents. Whenever the\r\nuser presses the  Ctrl + V key combination, the malware intercepts the request, retrieves the clipboard data, and\r\nhttps://www.zscaler.com/blogs/security-research/latest-mustang-panda-arsenal-paklog-corklog-and-splatcloak-p2\r\nPage 1 of 10\n\ncopies it to a buffer. Both the keystrokes and clipboard data are encoded and saved to the\r\nfile:  C:\\\\Users\\\\Public\\\\Libraries\\\\record.txt .\r\nPAKLOG uses a simple encoding mechanism to encode the characters in the buffer.\r\nUppercase characters\r\nIf the ASCII code of the character is below 0x5a (the uppercase character range), the new character code is\r\ndetermined using the formula:\r\nnew_char_code = (orig_char_code - 0x3e % 0x1a) + 0x41\r\nLowercase characters\r\nIf the ASCII code of the character is above 0x5a (the lowercase character range), the new character code is\r\ndetermined using the formula:\r\nnew_char_code = (orig_char_code - 0x5e % 0x1a) + 0x61\r\nCorKLOG\r\nCorkLOG is another keylogger designed to capture keystrokes, storing the captured data in an encrypted file using\r\na 48-character RC4 key. To ensure it runs continuously, the keylogger establishes persistence on the system by\r\ncreating services or scheduled tasks. CorkLOG is delivered through a RAR archive (e.g.,  src.rar ), which\r\ncontains two files: an executable ( lcommute.exe ) and the CorKLOG DLL ( mscorsvc.dll ). Mustang Panda\r\nlikely intended on the executable being used to sideload the DLL to activate the keylogger. However, due to an\r\nerror, the executable does not sideload the DLL, since the executable does not load a DLL with CorKLOG DLL’s\r\nfilename.\r\nThe CorKLOG DLL achieves persistence through one of two mechanisms, depending on its privilege level. If it\r\ndetects that it is running with administrator privileges, the malware installs itself as a service. The second\r\npersistence mechanism creates a scheduled task called TabletlnputServices. The scheduled task is set to run every\r\n10 minutes using the following command-line:\r\nschtasks /create /tn TabletlnputServices /tr /sc minute /mo 10 /f\r\nCorKLOG then executes schtasks a second time to run the task immediately.\r\nThe keylogging code records its output to a file, encrypting the contents with RC4 using the\r\nkey  fkpioefpoea$@^Tf0-0-gepwf09IJGEJ0IFAPKO456SG894E before writing them to disk.\r\nCorKLOG includes a configuration file stored in the  .config section of the binary. While the configuration file\r\nfor this sample is missing, our analysis suggests that it typically contains the following values:\r\nService name\r\nService display name\r\nFolder\r\nhttps://www.zscaler.com/blogs/security-research/latest-mustang-panda-arsenal-paklog-corklog-and-splatcloak-p2\r\nPage 2 of 10\n\nThe code snippet below illustrates the multi-stage decryption process applied to the configuration values. This\r\nprocess uses the same XOR key, but begins at four different offsets within the key, performing a series of XOR\r\noperations on the encrypted string.\r\nvoid crypto_xor_decrypt(PCSTR buffer, int32_t size)\r\n{\r\n uint8_t index = 0;\r\n if (size)\r\n {\r\n // First decryption pass, the xor key starting location is at the beginning of the xor key\r\n do\r\n {\r\n // xor key length := 0x3f\r\n buffer[index] ^= xorkey[index \u0026 0x3f];\r\n index += 1;\r\n } while (index\r\nSplatDropper\r\nSplatCloak (discussed later) is deployed by SplatDropper, a small utility that drops the driver onto the system,\r\nexecutes it, and then removes itself to avoid leaving traces. SplatDropper is delivered inside a RAR archive\r\n(e.g.,  kb.rar ), which contains two files: a legitimate executable ( BugSplatHD64.exe ) and the SplatDropper\r\nDLL ( BugSplat64.dll ).\r\nThe legitimate executable sideloads the SplatDropper DLL, which performs the following actions:\r\n1. Resolves Windows APIs by hash.\r\n2. Decrypts the kernel driver (SplatCloak) using a single-byte XOR key (0x5a) and writes the result to disk.\r\n3. Creates a Windows service to execute SplatCloak.\r\n4. Waits 5 seconds to allow SplatCloak to run.\r\n5. Stops the Windows Service.\r\n6. Cleans up (removes the Windows service and deletes SplatCloak).\r\nSplatDropper resolves the required Windows API calls by hash. The hash algorithm is identical to the methods\r\nused in tonepipeshell and tonepipeshell_alt, but with a seed value of 131313 (instead of previously observed\r\nvalues that include 13131313 and 1313131313). The API hashing algorithm is shown in the code snippet below:\r\nchar* apiname_1 = apiname;\r\nint32_t api_hash = 0;\r\nwhile ((int32_t)*(uint8_t*)apiname_1)\r\n{\r\n api_hash = api_hash * 131313 + (int32_t)*(uint8_t*)apiname_1;\r\n apiname_1 = \u0026apiname_1[1];\r\nhttps://www.zscaler.com/blogs/security-research/latest-mustang-panda-arsenal-paklog-corklog-and-splatcloak-p2\r\nPage 3 of 10\n\n}\r\nreturn (uint64_t)api_hash;\r\nSplatDropper generates three random strings, consisting of characters from A-Z, to create the filename, service\r\nname, and service display name. The algorithm is depicted in the code snippet below.\r\n// Generate a char buffer containing the ascii codes for A-Z\r\nchar alphabet[0x1a];\r\nfor (int32_t i = 0; i\r\nSplatCloak\r\nThe sole purpose of the SplatCloak driver is to identify and disable, or remove notification hooks and callbacks\r\nassociated with Windows Defender and Kaspersky. SplatCloak makes use of a revoked certificate (certificate\r\nthumbprint: 09ededdcbdb0c03c850f1d29920e412348120c8d) issued to Xtreaming Technology Inc. with the start\r\ndate of 2010-02-22 00:00:00 UTC and the end date of 2012-02-22 23:59:59 UTC. The threat actor is exploiting\r\nthe fact that Windows allows drivers with revoked certificates to be loaded. ThreatLabz also confirmed that this\r\ndriver will be successfully loaded on a fully patched Windows 10 system. Other interesting features implemented\r\nin SplatCloak are control flow flattening and mixed boolean arithmetic used to hinder reverse engineering efforts\r\nby malware analysts.\r\nThe SplatCloak driver, similar to its dropper (SplatDropper), dynamically resolves Windows API functions;\r\nhowever, the code does not utilize API hashing. Instead, the driver resolves API calls by retrieving the\r\nSYSTEM_MODULE_INFORMATION structure via ZwQuerySystemInformation (with\r\nthe  SystemInformationClass parameter set to  SystemModuleInformation ) and traversing the returned\r\nSYSTEM_MODULE_ENTRY structure to locate the base address of ntoskrnl.exe. This process is shown in the\r\nfigure below.\r\nhttps://www.zscaler.com/blogs/security-research/latest-mustang-panda-arsenal-paklog-corklog-and-splatcloak-p2\r\nPage 4 of 10\n\nFigure 1: Relationship between the system module information structure and the system module structure. \r\nUsing the base address of ntoskrnl, the SplatCloak driver parses its Portable Executable (PE) structure to obtain\r\nthe address of MmGetSystemRoutineAddress. This function is used to resolve various kernel-level Windows APIs,\r\nincluding the locations of PsProcessType and PsThreadType, which are also exported by ntoskrnl.\r\nAdditionally, RtlGetVersion is resolved to retrieve the Windows build number.\r\nThe SplatCloak driver retrieves the callback routine list pointers supplied by the system, which are shown in the\r\ntable below:\r\nList Name\r\nList\r\nLength\r\nDescription\r\nPspCreateProcessNotifyRoutine 64\r\nList of function pointers that are executed when a process is\r\ncreated.\r\nhttps://www.zscaler.com/blogs/security-research/latest-mustang-panda-arsenal-paklog-corklog-and-splatcloak-p2\r\nPage 5 of 10\n\nList Name\r\nList\r\nLength\r\nDescription\r\nPspCreateThreadNotifyRoutine 64\r\nList of function pointers that are executed when a thread is\r\ncreated.\r\nPspLoadImageNotifyRoutine 64\r\nList of function pointers that are executed when an image is\r\nloaded into memory.\r\nTable 1: List of kernel-level notification routines identified by the SplatCloak driver.\r\nThis retrieval is accomplished by analyzing the bytes of the resolved functions to identify a specific pattern that\r\npoints to their associated notification list of function pointers. The logic for each routine is illustrated in the figure\r\nbelow.\r\nFigure 2: SplatCloak logic for locating the routines: (left to\r\nright) PspCreateProcessNotifyRoutine, PspCreateProcessNotifyRoutine, and PspLoadImageNotifyRoutine.\r\nhttps://www.zscaler.com/blogs/security-research/latest-mustang-panda-arsenal-paklog-corklog-and-splatcloak-p2\r\nPage 6 of 10\n\nThe CallbackListHead (registry related callbacks) location is also determined by inspecting the bytes\r\nin CmUnRegisterCallback, as shown in the figure below.\r\nFigure 3: Shows the process used by the SplatCloak driver to find the CallbackListHead location. \r\nhttps://www.zscaler.com/blogs/security-research/latest-mustang-panda-arsenal-paklog-corklog-and-splatcloak-p2\r\nPage 7 of 10\n\nIf the Windows  dwBuildNumber retrieved via RtlGetVersion is 19000 or higher (Windows 10 version 2004 or\r\nlater), the driver proceeds to unregister and disable the identified callbacks. However, it’s worth noting that even\r\nin newer Windows versions with build numbers above 19000, the driver may not function correctly, as the\r\nopcodes for inspected functions have changed.\r\nTo identify whether a callback or notification routine should be disabled, the SplatCloak driver retrieves the\r\nFullPathName from  _SYSTEM_MODULE_ENTRY using ZwQuerySystemInformation as previously described. The\r\nmalware then examines the filename to determine if it matches any of the Windows Defender-related drivers listed\r\nin the table below.\r\nDriver  Description \r\nwdfilter.sys \r\nResponsible for monitoring and filtering file system activity to detect and prevent malicious\r\nbehavior.\r\nwdboot.sys\r\nOperates during system boot to ensure protection against threats before the operating system\r\nfully loads.\r\nwddevflt.sys\r\nDesigned to monitor and filter device-level operations, providing an additional layer of\r\nsecurity for hardware interactions.\r\nwdnisdrv.sys\r\nInspects and filters network streams to detect and block potential threats transmitted over the\r\nnetwork.\r\nTable 2: List of Windows Defender-related files monitored by SplatCloak.\r\nThe Kaspersky check involves enumerating each callback and notification routine within the system to pinpoint\r\nthe binary associated with the function they reference. Once the corresponding binary is identified, the SplatCloak\r\ndriver maps the binary into memory and analyzes its structure to locate the  IMAGE_DIRECTORY_ENTRY_SECURITY .\r\nThis entry provides a pointer to the code signing certificate embedded within the binary.\r\nUnlike other entries in the  IMAGE_DATA_DIRECTORY array, which typically use relative virtual offsets,\r\nthe  IMAGE_DIRECTORY_ENTRY_SECURITY uses a physical file offset to indicate the location of the signed certificate.\r\nThis physical offset points to where the certificate is stored, which is typically found in the file overlay — the data\r\nappended to the binary beyond the standard PE file structure. This process is shown in the figure below.\r\nhttps://www.zscaler.com/blogs/security-research/latest-mustang-panda-arsenal-paklog-corklog-and-splatcloak-p2\r\nPage 8 of 10\n\nFigure 4: SplatCloak process for determining the location and size of the code signing certificate. \r\nThe SplatCloak driver uses this offset, if present, to locate the certificate and examine the associated bytes for the\r\nkeyword kaspersky.\r\nWith the exception of callbacks related to PsProcessType and PsThreadType, any callbacks or notifications that\r\nmatch either Kaspersky or drivers associated with Windows Defender are removed using the appropriate APIs.\r\nPsSetCreateProcessNotifyRoutine\r\nThe  remove parameter is set to  True .\r\nPsSetCreateProcessNotifyRoutineEx\r\nThe  remove parameter is set to  True .\r\nPsSetCreateProcessNotifyRoutineEx2\r\nhttps://www.zscaler.com/blogs/security-research/latest-mustang-panda-arsenal-paklog-corklog-and-splatcloak-p2\r\nPage 9 of 10\n\nThe  remove parameter is set to  True .\r\nPsRemoveCreateThreadNotifyRoutine\r\nPsRemoveLoadImageNotifyRoutine\r\nCmUnRegisterCallback\r\nFor PsProcessType and PsThreadType, the  OB_CALLBACK_ENTRY_t structure's  Enabled value is set to  FALSE ,\r\neffectively disabling the callback. Both PsProcessType and PsThreadType are of type  _OBJECT_TYPE . These\r\nstructures and their relationships are depicted in the figure below.\r\nFigure 5: Shows path from _OBJECT_TYPE structure to the OB_CALLBACK_ENTRY_t structure.\r\n(Reference: https://github.com/wavestone-cdt/EDRSandblast) \r\nExplore more Zscaler blogs\r\nSource: https://www.zscaler.com/blogs/security-research/latest-mustang-panda-arsenal-paklog-corklog-and-splatcloak-p2\r\nhttps://www.zscaler.com/blogs/security-research/latest-mustang-panda-arsenal-paklog-corklog-and-splatcloak-p2\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "ETDA" ], "references": [ "https://www.zscaler.com/blogs/security-research/latest-mustang-panda-arsenal-paklog-corklog-and-splatcloak-p2" ], "report_names": [ "latest-mustang-panda-arsenal-paklog-corklog-and-splatcloak-p2" ], "threat_actors": [ { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434165, "ts_updated_at": 1775792193, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/bd27ca83cc69535d856a5af8db9e8bf003eb26a1.pdf", "text": "https://archive.orkl.eu/bd27ca83cc69535d856a5af8db9e8bf003eb26a1.txt", "img": "https://archive.orkl.eu/bd27ca83cc69535d856a5af8db9e8bf003eb26a1.jpg" } }