S1235 CorKLOG
CorKLOG is a keylogger known to be leveraged by Mustang Panda and was first observed utilized in 2024. CorKLOG is delivered through a RAR archive (e.g., src.rar), which contains two files: an executable (lcommute.exe) and the CorKLOG DLL (mscorsvc.dll). CorKLOG has established persistence on the system by creating services or with scheduled tasks.1
| Item | Value |
|---|---|
| ID | S1235 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 12 September 2025 |
| Last Modified | 21 October 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1543 | Create or Modify System Process | - |
| enterprise | T1543.003 | Windows Service | CorKLOG has created a service to establish persistence.1 |
| enterprise | T1074 | Data Staged | - |
| enterprise | T1074.001 | Local Data Staging | CorKLOG has stored the captured data in an encrypted file using a 48-character RC4 key.1 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | CorKLOG has decoded XOR encrypted strings.1 |
| enterprise | T1574 | Hijack Execution Flow | - |
| enterprise | T1574.001 | DLL | CorKLOG has leveraged legitimate binaries to conduct DLL side-loading.1 |
| enterprise | T1056 | Input Capture | - |
| enterprise | T1056.001 | Keylogging | CorKLOG has captured keystrokes.1 |
| enterprise | T1027 | Obfuscated Files or Information | - |
| enterprise | T1027.013 | Encrypted/Encoded File | CorKLOG has encrypted collected contents using RC4.1 CorKLOG has also utilized XOR encrypted strings.1 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.005 | Scheduled Task | CorKLOG has achieved persistence through the creation of a scheduled task named TableInputServices by using the command schtasks /create /tn TabletlnputServices /tr /sc minute /mo 10 /f.1 |
| enterprise | T1553 | Subvert Trust Controls | - |
| enterprise | T1553.002 | Code Signing | CorKLOG has used legitimate signed binaries such as lcommute.exe for follow-on execution of malicious DLLs through DLL side-loading.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0129 | Mustang Panda | 1 |