S1233 PAKLOG
PAKLOG is a keylogger known to be leveraged by Mustang Panda and was first observed utilized in 2024. PAKLOG is deployed via a RAR archive (e.g., key.rar), which contains two files: a signed, legitimate binary (PACLOUD.exe) and the malicious PAKLOG DLL (pa_lang2.dll). The PACLOUD.exe binary is used to side-load the PAKLOG DLL which starts with the keylogger functionality.1
| Item | Value |
|---|---|
| ID | S1233 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 12 September 2025 |
| Last Modified | 21 October 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1010 | Application Window Discovery | PAKLOG has used GetForegroundWindow to access the foreground window. 1 PAKLOG has also captured text from the foreground windows.1 |
| enterprise | T1115 | Clipboard Data | PAKLOG has monitored and extracted clipboard contents.1 |
| enterprise | T1074 | Data Staged | - |
| enterprise | T1074.001 | Local Data Staging | PAKLOG has stored the captured data in a file located C:\\Users\\Public\\Libraries\\record.txt.1 |
| enterprise | T1574 | Hijack Execution Flow | - |
| enterprise | T1574.001 | DLL | PAKLOG has leveraged legitimate binaries to conduct DLL side-loading.1 |
| enterprise | T1056 | Input Capture | - |
| enterprise | T1056.001 | Keylogging | PAKLOG has captured keystrokes using Windows API.1 |
| enterprise | T1106 | Native API | PAKLOG has used Windows API SetWindowsHookExW with idHook set to WH_KEYBOARD_LL and a custom hook procedure to support its keylogging functions.1 |
| enterprise | T1027 | Obfuscated Files or Information | - |
| enterprise | T1027.013 | Encrypted/Encoded File | PAKLOG has utilized a simple encoding mechanism to encode characters in the buffer.1 |
| enterprise | T1057 | Process Discovery | PAKLOG has detected and logged the full path of processes active in the foreground using Windows API calls.1 |
| enterprise | T1553 | Subvert Trust Controls | - |
| enterprise | T1553.002 | Code Signing | PAKLOG has used legitimate signed binaries such as PACLOUD.exe for follow-on execution of malicious DLLs through DLL Side-Loading.1 |
| enterprise | T1124 | System Time Discovery | PAKLOG has collected a timestamp to log the precise time a key was pressed, formatted as %Y-%m-%d %H:%M:%S.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0129 | Mustang Panda | 1 |