This is Part 2 of our two-part technical analysis on Mustang Panda’s new tools. For details on ToneShell and StarProxy, go to Part 1.IntroductionIn addition to the new ToneShell variants and StarProxy, Zscaler ThreatLabz discovered two new keyloggers used by Mustang Panda that we have named PAKLOG and CorKLOG as well as an EDR evasion driver (SplatCloak) on Mustang Panda’s staging server. In Part 2 of this series, we will analyze these keyloggers and the EDR evasion driver.Key TakeawaysMustang Panda continues to create new tooling in targeted attacks.PAKLOG is a keylogger that the group uses to monitor keystrokes and clipboard data and employs a custom character encoding scheme to obfuscate the log data.CorKLOG is also a keylogger deployed by Mustang Panda that uses a 48-character long RC4 key to encrypt the contents of the key logger capture file. Persistence is maintained by creating services or scheduled tasks.SplatCloak is a tool used by Mustang Panda that disables kernel-level notification callbacks for four Windows Defender-related drivers and Kaspersky drivers. The developers implemented code obfuscation techniques, including control flow flattening and mixed boolean arithmetic, to hinder analysis.Technical Analysis The technical analysis in this section focuses on the keyloggers, PAKLOG and CorKLOG, along with SplatCloak. Both PAKLOG and CorKLOG are straightforward keyloggers, but CorKLOG includes persistence mechanisms. Additionally, both keyloggers obfuscate log files to conceal their activity. SplatCloak, deployed by SplatDropper, is a Windows kernel driver designed to disable EDR-related routines implemented by Windows Defender and Kaspersky, enabling it to evade detection.PAKLOGPaklog is a keylogger that utilizes high-level Windows APIs to capture keystrokes and monitor clipboard activity. The keylogger then encodes this data and writes it to a local file. Paklog lacks built-in exfiltration capabilities, suggesting that Mustang Panda mainly uses it to collect data and leverages other methods for data exfiltration. Paklog is deployed via a RAR archive (e.g., key.rar), which contains two files: a signed, legitimate binary (PACLOUD.exe) and the malicious Paklog DLL (pa_lang2.dll). The PACLOUD.exe binary is used to sideload the Paklog DLL which starts the keylogger functionality. The sections below provide more information about Paklog.The Paklog DLL (pa_lang2.dll) includes a malicious export function named ASH_LANG2_add, which performs the following actions:Keylogging Setup: Utilizes the SetWindowsHookExW API, with idHook set to WH_KEYBOARD_LL, and a custom hook procedure.Data Logging: The custom hook procedure tracks keystrokes within the foreground window and logs the information in the following format:%26lt;timestamp%26gt; %26lt;window_text%26gt; %26lt;process_full_path%26gt; timestamp: The precise time the key was pressed, formatted as %Y-%m-%d %H:%M:%S.window_text: The text of the foreground window.process_full_path: The full path of the process active in the foreground. Key Mapping: Each key’s virtual code is mapped to a specific string that represents the corresponding key pressed by the user.In addition to keylogging, Paklog can be used to monitor clipboard activity and extract its contents. Whenever the user presses the Ctrl + V key combination, the malware intercepts the request, retrieves the clipboard data, and copies it to a buffer. Both the keystrokes and clipboard data are encoded and saved to the file: C:\\Users\\Public\\Libraries\\record.txt.PAKLOG uses a simple encoding mechanism to encode the characters in the buffer.Uppercase charactersIf the ASCII code of the character is below 0x5a (the uppercase character range), the new character code is determined using the formula:new_char_code = (orig_char_code – 0x3e % 0x1a) + 0x41Lowercase charactersIf the ASCII code of the character is above 0x5a (the lowercase character range), the new character code is determined using the formula:new_char_code = (orig_char_code – 0x5e % 0x1a) + 0x61CorKLOGCorkLOG is another keylogger designed to capture keystrokes, storing the captured data in an encrypted file using a 48-character RC4 key. To ensure it runs continuously, the keylogger establishes persistence on the system by creating services or scheduled tasks. CorkLOG is delivered through a RAR archive (e.g., src.rar), which contains two files: an executable (lcommute.exe) and the CorKLOG DLL (mscorsvc.dll). Mustang Panda likely intended on the executable being used to sideload the DLL to activate the keylogger. However, due to an error, the executable does not sideload the DLL, since the executable does not load a DLL with CorKLOG DLL’s filename.The CorKLOG DLL achieves persistence through one of two mechanisms, depending on its privilege level. If it detects that it is running with administrator privileges, the malware installs itself as a service. The second persistence mechanism creates a scheduled task called TabletlnputServices. The scheduled task is set to run every 10 minutes using the following command-line:schtasks /create /tn TabletlnputServices /tr %26lt;FILENAME%26gt; /sc minute /mo 10 /fCorKLOG then executes schtasks a second time to run the task immediately.The keylogging code records its output to a file, encrypting the contents with RC4 using the key fkpioefpoea$@^Tf0-0-gepwf09IJGEJ0IFAPKO456SG894E before writing them to disk.CorKLOG includes a configuration file stored in the .config section of the binary. While the configuration file for this sample is missing, our analysis suggests that it typically contains the following values:Service nameService display nameFolderThe code snippet below illustrates the multi-stage decryption process applied to the configuration values. This process uses the same XOR key, but begins at four different offsets within the key, performing a series of XOR operations on the encrypted string.void crypto_xor_decrypt(PCSTR buffer, int32_t size)
{
uint8_t index = 0;
if (size)
{
// First decryption pass, the xor key starting location is at the beginning of the xor key
do
{
// xor key length := 0x3f
buffer[index] ^= xorkey[index & 0x3f];
index += 1;
} while (index %26lt; size);
PVOID buffer_2 = buffer;
int32_t copy_of_size = size;
int32_t copy_of_size_1;
// Second decryption pass, the xor key starting location is 2 bytes from the beginning of the xor key
do
{
*(uint8_t*)buffer_2 ^= xorkey[(2 – buffer + buffer_2) & 0x3f];
buffer_2 += 1;
temp_str_len_remaining = str_len_remaining;
str_len_remaining -= 1;
} while (temp_str_len_remaining != 1);
PVOID buffer_1 = buffer;
int32_t str_len_remaining_1 = size;
int32_t temp_str_len_remaining_1;
// Third decryption pass, the xor key starting location is 5 bytes from the beginning of the xor key
do
{
*(uint8_t*)buffer_1 ^= xorkey[(5 – buffer + buffer_1) & 0x3f];
buffer_1 += 1;
temp_str_len_remaining_1 = str_len_remaining_1;
str_len_remaining_1 -= 1;
} while (temp_str_len_remaining_1 != 1);
uint32_t offset = 0xa – buffer;
int32_t temp_str_len_remaining_2;
// Forth decryption pass, the xor key starting location is 10 bytes from the beginning of the xor key
do
{
*(uint8_t*)buffer ^= xorkey[(offset + buffer) & 0x3f];
buffer = &buffer[1];
temp_str_len_remaining_2 = size;
size -= 1;
} while (temp_str_len_remaining_2 != 1);
}
}SplatDropperSplatCloak (discussed later) is deployed by SplatDropper, a small utility that drops the driver onto the system, executes it, and then removes itself to avoid leaving traces. SplatDropper is delivered inside a RAR archive (e.g., kb.rar), which contains two files: a legitimate executable (BugSplatHD64.exe) and the SplatDropper DLL (BugSplat64.dll).The legitimate executable sideloads the SplatDropper DLL, which performs the following actions:Resolves Windows APIs by hash.Decrypts the kernel driver (SplatCloak) using a single-byte XOR key (0x5a) and writes the result to disk.Creates a Windows service to execute SplatCloak.Waits 5 seconds to allow SplatCloak to run.Stops the Windows Service.Cleans up (removes the Windows service and deletes SplatCloak).SplatDropper resolves the required Windows API calls by hash. The hash algorithm is identical to the methods used in tonepipeshell and tonepipeshell_alt, but with a seed value of 131313 (instead of previously observed values that include 13131313 and 1313131313). The API hashing algorithm is shown in the code snippet below:char* apiname_1 = apiname;
int32_t api_hash = 0;
while ((int32_t)*(uint8_t*)apiname_1)
{
api_hash = api_hash * 131313 + (int32_t)*(uint8_t*)apiname_1;
apiname_1 = &apiname_1[1];
}
return (uint64_t)api_hash;SplatDropper generates three random strings, consisting of characters from A-Z, to create the filename, service name, and service display name. The algorithm is depicted in the code snippet below.// Generate a char buffer containing the ascii codes for A-Z
char alphabet[0x1a];
for (int32_t i = 0; i %26lt; 26; i += 1)
alphabet[(int64_t)i] = i + 0x41;
out_buffer[str_length] = 0;
// Construct a random string from the generated alphabet into
// the out_buffer
for (int32_t i_1 = 0; i_1 %26lt; str_length; i_1 += 1)
{
int32_t random_number = j_rand() + i_1;
if (random_number %26lt; 0)
random_number = -(random_number);
out_buffer[(int64_t)i_1] = alphabet[(int64_t)((int64_t)random_number % 26)];
}SplatCloakThe sole purpose of the SplatCloak driver is to identify and disable, or remove notification hooks and callbacks associated with Windows Defender and Kaspersky. SplatCloak makes use of a revoked certificate (certificate thumbprint: 09ededdcbdb0c03c850f1d29920e412348120c8d) issued to Xtreaming Technology Inc. with the start date of 2010-02-22 00:00:00 UTC and the end date of 2012-02-22 23:59:59 UTC. The threat actor is exploiting the fact that Windows allows drivers with revoked certificates to be loaded. ThreatLabz also confirmed that this driver will be successfully loaded on a fully patched Windows 10 system. Other interesting features implemented in SplatCloak are control flow flattening and mixed boolean arithmetic used to hinder reverse engineering efforts by malware analysts.The SplatCloak driver, similar to its dropper (SplatDropper), dynamically resolves Windows API functions; however, the code does not utilize API hashing. Instead, the driver resolves API calls by retrieving the SYSTEM_MODULE_INFORMATION structure via ZwQuerySystemInformation (with the SystemInformationClass parameter set to SystemModuleInformation) and traversing the returned SYSTEM_MODULE_ENTRY structure to locate the base address of ntoskrnl.exe. This process is shown in the figure below.Figure 1: Relationship between the system module information structure and the system module structure. Using the base address of ntoskrnl, the SplatCloak driver parses its Portable Executable (PE) structure to obtain the address of MmGetSystemRoutineAddress. This function is used to resolve various kernel-level Windows APIs, including the locations of PsProcessType and PsThreadType, which are also exported by ntoskrnl. Additionally, RtlGetVersion is resolved to retrieve the Windows build number.The SplatCloak driver retrieves the callback routine list pointers supplied by the system, which are shown in the table below:List NameList LengthDescriptionPspCreateProcessNotifyRoutine64List of function pointers that are executed when a process is created.PspCreateThreadNotifyRoutine64List of function pointers that are executed when a thread is created.PspLoadImageNotifyRoutine64List of function pointers that are executed when an image is loaded into memory.Table 1: List of kernel-level notification routines identified by the SplatCloak driver.This retrieval is accomplished by analyzing the bytes of the resolved functions to identify a specific pattern that points to their associated notification list of function pointers. The logic for each routine is illustrated in the figure below.Figure 2: SplatCloak logic for locating the routines: (left to right) PspCreateProcessNotifyRoutine, PspCreateProcessNotifyRoutine, and PspLoadImageNotifyRoutine.The CallbackListHead (registry related callbacks) location is also determined by inspecting the bytes in CmUnRegisterCallback, as shown in the figure below.Figure 3: Shows the process used by the SplatCloak driver to find the CallbackListHead location. If the Windows dwBuildNumber retrieved via RtlGetVersion is 19000 or higher (Windows 10 version 2004 or later), the driver proceeds to unregister and disable the identified callbacks. However, it’s worth noting that even in newer Windows versions with build numbers above 19000, the driver may not function correctly, as the opcodes for inspected functions have changed.To identify whether a callback or notification routine should be disabled, the SplatCloak driver retrieves the FullPathName from _SYSTEM_MODULE_ENTRY using ZwQuerySystemInformation as previously described. The malware then examines the filename to determine if it matches any of the Windows Defender-related drivers listed in the table below.Driver Description wdfilter.sys Responsible for monitoring and filtering file system activity to detect and prevent malicious behavior.wdboot.sysOperates during system boot to ensure protection against threats before the operating system fully loads.wddevflt.sysDesigned to monitor and filter device-level operations, providing an additional layer of security for hardware interactions.wdnisdrv.sysInspects and filters network streams to detect and block potential threats transmitted over the network.Table 2: List of Windows Defender-related files monitored by SplatCloak.The Kaspersky check involves enumerating each callback and notification routine within the system to pinpoint the binary associated with the function they reference. Once the corresponding binary is identified, the SplatCloak driver maps the binary into memory and analyzes its structure to locate the IMAGE_DIRECTORY_ENTRY_SECURITY. This entry provides a pointer to the code signing certificate embedded within the binary.Unlike other entries in the IMAGE_DATA_DIRECTORY array, which typically use relative virtual offsets, the IMAGE_DIRECTORY_ENTRY_SECURITY uses a physical file offset to indicate the location of the signed certificate. This physical offset points to where the certificate is stored, which is typically found in the file overlay, the data appended to the binary beyond the standard PE file structure. This process is shown in the figure below.Figure 4: SplatCloak process for determining the location and size of the code signing certificate. The SplatCloak driver uses this offset, if present, to locate the certificate and examine the associated bytes for the keyword kaspersky.With the exception of callbacks related to PsProcessType and PsThreadType, any callbacks or notifications that match either Kaspersky or drivers associated with Windows Defender are removed using the appropriate APIs.PsSetCreateProcessNotifyRoutineThe remove parameter is set to True.PsSetCreateProcessNotifyRoutineExThe remove parameter is set to True.PsSetCreateProcessNotifyRoutineEx2The remove parameter is set to True.PsRemoveCreateThreadNotifyRoutinePsRemoveLoadImageNotifyRoutineCmUnRegisterCallbackFor PsProcessType and PsThreadType, the OB_CALLBACK_ENTRY_t structure’s Enabled value is set to FALSE, effectively disabling the callback. Both PsProcessType and PsThreadType are of type _OBJECT_TYPE. These structures and their relationships are depicted in the figure below.Figure 5: Shows path from _OBJECT_TYPE structure to the OB_CALLBACK_ENTRY_t structure. (Reference: github.com/wavestone-cdt/EDRSandblast) Threat AttributionFigure 6: Diamond model highlighting TTP overlap with past Mustang Panda activity.Zscaler ThreatLabz attributes this intrusion to Mustang Panda. Nearly all of the tools discussed in this analysis were hosted as RAR archives on the same server the threat actor used to deliver ToneShell (see Part 1). Tool overlap”, particularly the inclusion of ToneShell”, strongly links Mustang Panda to this activity. Additionally, technical overlaps in newly discovered tools align with prior Mustang Panda malware, including techniques such as control flow flattening, mixed boolean arithmetic, and RC4 encryption, which are hallmark features of Mustang Panda’s customized PlugX variant.The discovery of StarProxy (see Part 1) further strengthens the attribution, as it employs FakeTLS”, similar to ToneShell. SplatDropper shares similarities in the API hashing techniques observed in the ToneShell variants covered in Part 1. From a victim’s perspective, aligning with the Diamond Model framework, Mustang Panda’s historical targeting of Myanmar and NGOs reinforces the connection, as these entities have been frequent targets of this threat actor over the years.ConclusionThe absence of a direct connection to a C2 server suggests that Mustang Panda likely relies on hands-on-keyboard access during their intrusions or employs additional tooling to facilitate the execution of their keyloggers (PAKLOG, CorKLOG) and EDR evasion driver (SplatCloak). This also implies that keylogger data must be exfiltrated through other methods. As highlighted in the first blog of this two-part series, the tools are designed with several techniques to mitigate detection. Specifically, the SplatCloak driver is tailored to evade Microsoft Defender and Kaspersky, and its dropper ensures the driver is removed from disk before execution.Overall, Mustang Panda demonstrates a calculated approach to achieving their objectives. Continuous updates, new tooling, and layered obfuscation prolongs the group’s operational security and improves the efficacy of attacks.Zscaler CoverageZscaler’s multilayered cloud security platform detects indicators related to Mustang Panda at various levels with the following threat names:Win32.Backdoor.ToneshellWin32.Trojan.MustangPandaIndicators Of Compromise (IOCs)File indicatorsMD5 HashSHA1 HashSHA256 HashFilenameDescriptionf8e865c9ed99b1e4725f5ccdc3ef0ba7b2d865e243ea3d642c3a0a2c7d0ea52b79a18ec46f3a2913a59309c6b4b38040cfb08a4e04404e6f93215fd72dbc52781d99ff29key.rarRAR archive file a4eb2d1252b90f4b1d77ed374092a1625747a2dd63c97f97ee439482dfd43890410439026c01b3d9f7929d8d18747cb6feba416e8702f853a303a63ae37af38e95af79cdpa_lang2.dllThis is PAKLOG which is a Windows keylogger. e0ee591b4a97a9876f4f9e75be3fdd087d1bd5191ed9c42ead2fc51400d3a398df0c3f7b d72e2da9043737f816ea66070cede47fc9b012a3a5444cc2fbdf00e683f277f7PACLOUD.EXELegitimate and signed binaryade40faa90439abdac911ce1ac50e4b9361ad9f8d0b3f248a35e8d570ca58e8e152573cd3fa4e089bf7bf183d7e746b9eb02b852df5673d7ab39008252e3954fc70d2cbakb.rarRAR archive60138b3f2791742dd65bdf29376055e8f6ade6bbdd1828add500aa82505567cf9f21efaf1ffc8bde92758bc0d2ddcc5a6bb78c73b6409429e52d62191f25afa8ebfad84aBugSplatHD64.exeLegitimate and signed binarycbb7309092862f0999f7a442e17b1ba6ae896332d3b40b627f44e6dc038f8c2396ecaf4d86f6d29ef0532236ad180dcf9a4b0c1ac1f8f2ec9cec7a5b312f4e940df7edceBugSplat64.dllThis is SplatDropper which is responsible for dropping and executing SplatCloak.3385a945449774d71377d3a08e5d0d43 3e8cb0b1f93da475889dd065ee21261e1b6f6fffbefbc4c451721ad8cce0795f82aa0762640644807130bf5d0cba44a1cb194d9c This is SplatCloak which is a malicious driver dropped by BugSplat64.dll.6c4eb9be8ea20055b88c5b703d41d1d22696467025b0d1052d11d3f7bc68c6cb4cb635a59c61a53b787bb42b12a3a44151ce1348669b4c745d087fb602df2b28d0fd92b5src.rarRAR archivee7552a105efaadfa7fd3b7a5fc7d46bf5a7a1bfa0972a155928d9e0fb95c015fc00eb5103938de0ec99cd035899ddd7e793c3aea0de37213b69ab0db64c88f33eba3da5flcommute.exeLegitimate and signed binary91f1f4bd673807647126e65ab8fd15aef7cc59edd9fa8fd9b0d7d2316d86c348458b81013a59407db18f575adf956027c8e8af961e1e2ef01d097f6c0a934aeaad45de03mscorsvc.dllCorKLOG is a keylogger.Certificate details of the signed binariesSHA256 HashBinary NameName of the Signer1ffc8bde92758bc0d2ddcc5a6bb78c73b6409429e52d62191f25afa8ebfad84aBugSplatHD64.exeBugSplatd72e2da9043737f816ea66070cede47fc9b012a3a5444cc2fbdf00e683f277f7PACLOUD.exeConeXware, Inc.3938de0ec99cd035899ddd7e793c3aea0de37213b69ab0db64c88f33eba3da5flcommute.exeInternational Business Machines Corporationbefbc4c451721ad8cce0795f82aa0762640644807130bf5d0cba44a1cb194d9c(the dropped driver)Xtreaming Technology Inc.Network indicatorsTypeIndicatorPayload hosting server103.13.31[.]75/heugojhgriuhn78867jhkbjkdgfhuie78/jhegiokj7889seghjegh786jkhegfukj/Host indicatorsTypeIndicatorKeylog file used by PAKLOGC:\\Users\\Public\\Libraries\\record.txtSplatCloakTemporarily drops a .sys into C:\Users\public\ MITRE ATT&CK FrameworkIDTacticDescriptionT1574.002Hijack Execution Flow: DLL Side-LoadingAll the DLLs in this new toolset are sideloaded by legitimate and signed Windows binaries.T1056.001Input Capture – KeyloggingPAKLOG is a Windows user mode keylogger that captures the user keystrokes. T1115Clipboard DataPAKLOG captures the clipboard’s content.T1027Obfuscated Files or InformationPAKLOG encodes the contents of the file capturing keystrokes. Windows driver uses control flow flattening.T1573.001Symmetric CryptographyXOR encryption and RC4 encryption algorithms used by various Mustang Panda tools are symmetric cryptography algorithms.T1562.001Impair Defenses: Disable or Modify ToolsSplatCloak contains capabilities to disable Windows Defender and Kaspersky kernel-level monitoring callbacks.TA0002ExecutionCorKLOG will create a Scheduled Task.T1569.002System Services: Service ExecutionCorKLOG and SplatCloak are registered as Windows services.
First seen on securityboulevard.com
Jump to article: securityboulevard.com/2025/04/latest-mustang-panda-arsenal-paklog-corklog-and-splatcloak-p2/
