Latest Mustang Panda Arsenal: PAKLOG, CorKLOG, and SplatCloak | P2

    Thursday, April 17, 2025 In: Threat Research Print

    Date: 04/17/2025

    Severity: High

    Summary

    Mustang Panda continues to develop custom tools for targeted attacks. They use PAKLOG and CorKLOG keyloggers—PAKLOG obfuscates data with custom encoding, while CorKLOG encrypts logs using a 48-character RC4 key. Persistence is achieved via services and scheduled tasks. The group also deploys SplatCloak, a tool that disables security callbacks and uses heavy code obfuscation to evade analysis.

    Indicators of Compromise (IOC) List

    IP Address : 

    103.13.31.75

    Hash : 

    f8e865c9ed99b1e4725f5ccdc3ef0ba7

    b2d865e243ea3d642c3a0a2c7d0ea52b79a18ec4

    6f3a2913a59309c6b4b38040cfb08a4e04404e6f93215fd72dbc52781d99ff29

    a4eb2d1252b90f4b1d77ed374092a162

    5747a2dd63c97f97ee439482dfd4389041043902

    6c01b3d9f7929d8d18747cb6feba416e8702f853a303a63ae37af38e95af79cd

    e0ee591b4a97a9876f4f9e75be3fdd08

    7d1bd5191ed9c42ead2fc51400d3a398df0c3f7b

    d72e2da9043737f816ea66070cede47fc9b012a3a5444cc2fbdf00e683f277f7

    ade40faa90439abdac911ce1ac50e4b9

    361ad9f8d0b3f248a35e8d570ca58e8e152573cd

    3fa4e089bf7bf183d7e746b9eb02b852df5673d7ab39008252e3954fc70d2cba

    60138b3f2791742dd65bdf29376055e8

    f6ade6bbdd1828add500aa82505567cf9f21efaf

    1ffc8bde92758bc0d2ddcc5a6bb78c73b6409429e52d62191f25afa8ebfad84a

    cbb7309092862f0999f7a442e17b1ba6

    ae896332d3b40b627f44e6dc038f8c2396ecaf4d

    86f6d29ef0532236ad180dcf9a4b0c1ac1f8f2ec9cec7a5b312f4e940df7edce

    3385a945449774d71377d3a08e5d0d43

    3e8cb0b1f93da475889dd065ee21261e1b6f6fff

    befbc4c451721ad8cce0795f82aa0762640644807130bf5d0cba44a1cb194d9c

    6c4eb9be8ea20055b88c5b703d41d1d2

    2696467025b0d1052d11d3f7bc68c6cb4cb635a5

    9c61a53b787bb42b12a3a44151ce1348669b4c745d087fb602df2b28d0fd92b5

    e7552a105efaadfa7fd3b7a5fc7d46bf

    5a7a1bfa0972a155928d9e0fb95c015fc00eb510

    3938de0ec99cd035899ddd7e793c3aea0de37213b69ab0db64c88f33eba3da5f

    91f1f4bd673807647126e65ab8fd15ae

    f7cc59edd9fa8fd9b0d7d2316d86c348458b8101

    3a59407db18f575adf956027c8e8af961e1e2ef01d097f6c0a934aeaad45de03

    1ffc8bde92758bc0d2ddcc5a6bb78c73b6409429e52d62191f25afa8ebfad84a

    d72e2da9043737f816ea66070cede47fc9b012a3a5444cc2fbdf00e683f277f7

    3938de0ec99cd035899ddd7e793c3aea0de37213b69ab0db64c88f33eba3da5f

    befbc4c451721ad8cce0795f82aa0762640644807130bf5d0cba44a1cb194d9c

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    IP Address :

    dstipaddress IN ("103.13.31.75") or srcipaddress IN ("103.13.31.75")

    Hash 1 : 

    md5hash IN ("a4eb2d1252b90f4b1d77ed374092a162","f8e865c9ed99b1e4725f5ccdc3ef0ba7","e0ee591b4a97a9876f4f9e75be3fdd08","ade40faa90439abdac911ce1ac50e4b9","60138b3f2791742dd65bdf29376055e8","cbb7309092862f0999f7a442e17b1ba6","cbb7309092862f0999f7a442e17b1ba6","3385a945449774d71377d3a08e5d0d43","6c4eb9be8ea20055b88c5b703d41d1d2","e7552a105efaadfa7fd3b7a5fc7d46bf","91f1f4bd673807647126e65ab8fd15ae")

    Hash 2 : 

    sha256hash IN ("6c01b3d9f7929d8d18747cb6feba416e8702f853a303a63ae37af38e95af79cd","6f3a2913a59309c6b4b38040cfb08a4e04404e6f93215fd72dbc52781d99ff29","d72e2da9043737f816ea66070cede47fc9b012a3a5444cc2fbdf00e683f277f7","3fa4e089bf7bf183d7e746b9eb02b852df5673d7ab39008252e3954fc70d2cba","1ffc8bde92758bc0d2ddcc5a6bb78c73b6409429e52d62191f25afa8ebfad84a","86f6d29ef0532236ad180dcf9a4b0c1ac1f8f2ec9cec7a5b312f4e940df7edce","befbc4c451721ad8cce0795f82aa0762640644807130bf5d0cba44a1cb194d9c","9c61a53b787bb42b12a3a44151ce1348669b4c745d087fb602df2b28d0fd92b5","3938de0ec99cd035899ddd7e793c3aea0de37213b69ab0db64c88f33eba3da5f","3a59407db18f575adf956027c8e8af961e1e2ef01d097f6c0a934aeaad45de03")

    Hash 3 : 

    sha1hash In ("b2d865e243ea3d642c3a0a2c7d0ea52b79a18ec4","5747a2dd63c97f97ee439482dfd4389041043902","7d1bd5191ed9c42ead2fc51400d3a398df0c3f7b","361ad9f8d0b3f248a35e8d570ca58e8e152573cd","f6ade6bbdd1828add500aa82505567cf9f21efaf","ae896332d3b40b627f44e6dc038f8c2396ecaf4d","3e8cb0b1f93da475889dd065ee21261e1b6f6fff","2696467025b0d1052d11d3f7bc68c6cb4cb635a5","5a7a1bfa0972a155928d9e0fb95c015fc00eb510","f7cc59edd9fa8fd9b0d7d2316d86c348458b8101")

    Hash 4 :

    hash In ("b2d865e243ea3d642c3a0a2c7d0ea52b79a18ec4","5747a2dd63c97f97ee439482dfd4389041043902","7d1bd5191ed9c42ead2fc51400d3a398df0c3f7b","361ad9f8d0b3f248a35e8d570ca58e8e152573cd","f6ade6bbdd1828add500aa82505567cf9f21efaf","ae896332d3b40b627f44e6dc038f8c2396ecaf4d","3e8cb0b1f93da475889dd065ee21261e1b6f6fff","2696467025b0d1052d11d3f7bc68c6cb4cb635a5","5a7a1bfa0972a155928d9e0fb95c015fc00eb510","f7cc59edd9fa8fd9b0d7d2316d86c348458b8101")

    Reference:

    https://www.zscaler.com/blogs/security-research/latest-mustang-panda-arsenal-paklog-corklog-and-splatcloak-p2


    Tags

    MalwareThreat ActorMustang PandaPAKLOGCorKLOGSplatCloakKeylogger

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.