S1232 SplatDropper
SplatDropper is a loader that utilizes native windows API to deliver its payload to the victim environment. SplatDropper has been delivered through RAR archives and used legitimate executable for DLL side-loading. SplatDropper is known to be leveraged by Mustang Panda and was first observed utilized in 2025.
| Item | Value |
|---|---|
| ID | S1232 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 12 September 2025 |
| Last Modified | 21 October 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1543 | Create or Modify System Process | - |
| enterprise | T1543.003 | Windows Service | SplatDropper has created a service to execute a payload.1 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | SplatDropper has decoded XOR encrypted payload.1 |
| enterprise | T1574 | Hijack Execution Flow | - |
| enterprise | T1574.001 | DLL | SplatDropper has leveraged legitimate binaries to conduct DLL side-loading.1 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.009 | Clear Persistence | SplatDropper has deleted its malicious payload and removed its own created service to avoid leaving traces of its presence on victim devices.1 |
| enterprise | T1106 | Native API | SplatDropper has utilized hashed Native Windows API calls.1 |
| enterprise | T1027 | Obfuscated Files or Information | - |
| enterprise | T1027.007 | Dynamic API Resolution | SplatDropper has leveraged hashed Windows API calls using a seed value of “131313”.1 |
| enterprise | T1027.013 | Encrypted/Encoded File | SplatDropper has also utilized XOR encrypted payload.1 |
| enterprise | T1553 | Subvert Trust Controls | - |
| enterprise | T1553.002 | Code Signing | SplatDropper has used legitimate signed binaries such as BugSplatHD64.exe for follow-on execution of malicious DLLs through DLL side-loading.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0129 | Mustang Panda | 1 |