S1228 PUBLOAD
PUBLOAD is a stager malware that has been observed installing itself in existing directories such as C:\Users\Public or creating new directories to stage the malware and its components.2 PUBLOAD malware collects details of the victim host, establishes persistence, encrypts victim details using RC4 and communicates victim details back to C2. PUBLOAD malware has previously been leveraged by China-affiliated actors identified as Mustang Panda. PUBLOAD is also known as “NoFive” and some public reporting identifies the loader component as CLAIMLOADER.1
| Item | Value |
|---|---|
| ID | S1228 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 04 August 2025 |
| Last Modified | 24 October 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | PUBLOAD has communicated via curl over HTTP to identify device IP data.5 PUBLOAD has also utilized HTTP for a command-and-control protocol through HTTP POST.736 PUBLOAD has also leveraged HTTPS for C2.1 |
| enterprise | T1071.002 | File Transfer Protocols | PUBLOAD has used curl for data exfiltration over FTP.5 |
| enterprise | T1560 | Archive Collected Data | - |
| enterprise | T1560.001 | Archive via Utility | PUBLOAD has used utilities such as WinRAR to archive data prior to exfiltration.5 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | PUBLOAD has added Registry Run keys to achieve persistence using HKCU\Software\Microsoft\Windows\CurrentVersion\Run. 87352 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | PUBLOAD has used several commands executed in sequence via cmd. 5 |
| enterprise | T1001 | Data Obfuscation | - |
| enterprise | T1001.003 | Protocol or Service Impersonation | PUBLOAD has modified HTTP POST requests to resemble legitimate communications.36 PUBLOAD used FakeTLS headers in network packets to impersonate various versions of TLS protocols to blend in with legitimate network traffic. PUBLOAD has utilized FakeTLS headers with the bytes 17 03 03.1 |
| enterprise | T1622 | Debugger Evasion | PUBLOAD has embedded debug strings with messages to distract analysts.82 PUBLOAD has leveraged OutputDebugStringW and OutputDebugStringA functions.2 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | PUBLOAD has decoded its payload prior to execution.83126 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.001 | Symmetric Cryptography | PUBLOAD has used RC4 encryption in C2 communications.872 |
| enterprise | T1480 | Execution Guardrails | - |
| enterprise | T1480.001 | Environmental Keying | PUBLOAD has utilized environmental keying in the payload to include the victim volume serial number, computer name, username, and machine’s tick count.1 |
| enterprise | T1048 | Exfiltration Over Alternative Protocol | - |
| enterprise | T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol | PUBLOAD has leveraged curl for data exfiltration over FTP by uploading RAR archives containing targeted files (.doc, .docx, .xls, .xlsx, .pdf, .ppt, .pptx) to an adversary-owned FTP site.5 |
| enterprise | T1574 | Hijack Execution Flow | - |
| enterprise | T1574.001 | DLL | PUBLOAD has abused legitimate executables to side-load malicious DLLs.8731269 |
| enterprise | T1105 | Ingress Tool Transfer | PUBLOAD has acted as a stager that can download the next-stage payload from its C2 server.34126 PUBLOAD has also delivered FDMTP as a secondary control tool and PTSOCKET for exfiltration to some infected systems.5 |
| enterprise | T1680 | Local Storage Discovery | PUBLOAD has leveraged wmic logicaldisk get to map local network drives.5 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.005 | Match Legitimate Resource Name or Location | PUBLOAD has renamed malicious files to mimic legitimate file names such as adobe_wf.exe.2 |
| enterprise | T1106 | Native API | PUBLOAD has used various Windows API calls during execution, when establishing persistence and defense evasion.31 PUBLOAD stager leveraged Windows API functions with callback including GrayStringW, EnumDateFormatsA, and LineDDA to bypass anti-virus monitoring. 2 PUBLOAD has also utilized other native windows API functions with callback functions such as EnumChildWindows and EnumSystemLanguageGroupsA. 6 |
| enterprise | T1027 | Obfuscated Files or Information | PUBLOAD has obfuscated DLL names using the ror13AddHash32 algorithm.8 |
| enterprise | T1027.015 | Compression | PUBLOAD has been delivered as compressed files within ZIP files to victims.36 |
| enterprise | T1057 | Process Discovery | PUBLOAD has used tasklist to gather running processes on victim host.5 PUBLOAD has also leveraged the OpenEventA Windows API function to check whether the same process was already running.2 |
| enterprise | T1012 | Query Registry | PUBLOAD has queried Registry values to identify software using reg query.5 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.005 | Scheduled Task | PUBLOAD has created scheduled tasks to maintain persistence with the command schtasks.exe /F /Create /TN Microsoft_Licensing /sc minute /MO 1 /TR C:\\Users\\Public\\Libraries\...832 |
| enterprise | T1518 | Software Discovery | PUBLOAD has used several commands executed in sequence via cmd in a short interval to gather software versions including querying Registry keys.5 |
| enterprise | T1518.001 | Security Software Discovery | PUBLOAD has identified AV products on an infected host using the following command: WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List.5 |
| enterprise | T1553 | Subvert Trust Controls | - |
| enterprise | T1553.002 | Code Signing | PUBLOAD has used valid legitimate digital signatures and certificates to evade detection.7 |
| enterprise | T1082 | System Information Discovery | PUBLOAD has collected and sent system information including volume serial number, computer name, and system uptime to designated C2.81 PUBLOAD has also used several commands executed in sequence via cmd in a short interval to gather system information about the infected host including systeminfo.5 PUBLOAD has decrypted shellcode that collects the computer name.2 |
| enterprise | T1614 | System Location Discovery | - |
| enterprise | T1614.001 | System Language Discovery | PUBLOAD has checked supported languages on the compromised system.7 |
| enterprise | T1016 | System Network Configuration Discovery | PUBLOAD has obtained information about local networks through the ipconfig /all command.5 |
| enterprise | T1016.001 | Internet Connection Discovery | PUBLOAD has identified internet connectivity details through commands such as tracert -h 5 -4 google.com and curl http://myip.ipip.net.5 |
| enterprise | T1016.002 | Wi-Fi Discovery | PUBLOAD has collected information on Wi-Fi networks from victim hosts leveraging netsh wlan show profiles, netsh wlan show interface, and netsh wlan show. 5 |
| enterprise | T1049 | System Network Connections Discovery | PUBLOAD has used several commands executed in sequence via cmd in a short interval to gather information on network connections.5 |
| enterprise | T1033 | System Owner/User Discovery | PUBLOAD has obtained the username from an infected host.8712 |
| enterprise | T1007 | System Service Discovery | PUBLOAD has leveraged tasklist to gather running services on victim host.5 |
| enterprise | T1124 | System Time Discovery | PUBLOAD has collected the machine’s tick count through the use of GetTickCount.1 |
| enterprise | T1205 | Traffic Signaling | PUBLOAD has utilized a magic packet value in C2 communications and only executes in memory when response packets match specific values of 17 03 03.74129 PUBLOAD has also used magic bytes consisting of 46 77 4d.7 |
| enterprise | T1047 | Windows Management Instrumentation | PUBLOAD has used wmic to gather information from the victim device.5 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0129 | Mustang Panda | 873415269 |
References
-
Golo Muhr, Joshua Chung. (2025, May 15). Hive0154 targeting US, Philippines, Pakistan and Taiwan in suspected espionage campaign. Retrieved August 4, 2025. ↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Nick Dai, Vickie Su, Sunny Lu. (2022, November 18). Earth Preta Spear-Phishing Governments Worldwide. Retrieved August 4, 2025. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Dex. (n.d.). New Mustang Panda’s campaing against Australia. Retrieved August 4, 2025. ↩↩↩↩↩↩↩↩↩↩
-
Golo Muhr, Joshua Chung. (2025, June 23). Hive0154 aka Mustang Panda shifts focus on Tibetan community to deploy Pubload backdoor. Retrieved August 4, 2025. ↩↩↩
-
Lenart Bermejo, Sunny Lu, Ted Lee. (2024, September 9). Earth Preta Evolves its Attacks with New Malware and Strategies. Retrieved August 4, 2025. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Robert Falcone. (2025, February 20). Stately Taurus Activity in Southeast Asia Links to Bookworm Malware. Retrieved July 21, 2025. ↩↩↩↩↩↩↩↩
-
CSIRT CTI. (2024, January 23). Stately Taurus Targets Myanmar Amidst Concerns over Military Junta’s Handling of Rebel Attacks. Retrieved August 4, 2025. ↩↩↩↩↩↩↩↩↩↩
-
Asheer Malhotra, Jungsoo An, Kendall Mc. (2022, May 5). Mustang Panda deploys a new wave of malware targeting Europe. Retrieved August 4, 2025. ↩↩↩↩↩↩↩↩↩↩
-
Unit42. (2024, March 26). ASEAN Entities in the Spotlight: Chinese APT Group Targeting. Retrieved August 4, 2025. ↩↩↩