S1234 SplatCloak
SplatCloak is a malware that disables EDR-related routines used by Windows Defender and Kaspersky to aid in evading detection. SplatCloak has been deployed by SplatDropper and is known to be leveraged by Mustang Panda since 2025.1
| Item | Value |
|---|---|
| ID | S1234 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 12 September 2025 |
| Last Modified | 21 October 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1083 | File and Directory Discovery | SplatCloak has used Windows API to identify files associated with Windows Defender and Kaspersky.1 |
| enterprise | T1562 | Impair Defenses | - |
| enterprise | T1562.001 | Disable or Modify Tools | SplatCloak has identified and disabled API callback features of Windows Defender and Kaspersky.1 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.001 | Invalid Code Signature | SplatCloak has used a revoked certificate to exploit Windows driver execution policy where certificates issued before a specific date could still load.1 |
| enterprise | T1106 | Native API | SplatCloak has utilized Native Windows API calls dynamically through ZwQuerySystemInformation.1 |
| enterprise | T1518 | Software Discovery | - |
| enterprise | T1518.001 | Security Software Discovery | SplatCloak has identified drivers of AV solutions by searching for related filenames, keywords and signed certificates.1 |
| enterprise | T1082 | System Information Discovery | SplatCloak has collected the Windows build number using the windows kernel API RtlGetVersion to determine if the response is 19000 or higher (Windows 10 version 2004 or later).1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0129 | Mustang Panda | 1 |