S1236 CLAIMLOADER
CLAIMLOADER is a malware variant that frequently accompanies legitimate executables that are used for DLL side-loading known to be leveraged by Mustang Panda and was first observed utilized in 2021.12
| Item | Value |
|---|---|
| ID | S1236 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 12 September 2025 |
| Last Modified | 21 October 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | CLAIMLOADER has added Registry Run keys to achieve persistence using HKCU\Software\Microsoft\Windows\CurrentVersion\Run.12 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | CLAIMLOADER has decoded its payload prior to execution.12 |
| enterprise | T1480 | Execution Guardrails | - |
| enterprise | T1480.002 | Mutual Exclusion | CLAIMLOADER has created hardcoded mutex to ensure only a single instance of the malware is running.12 |
| enterprise | T1564 | Hide Artifacts | - |
| enterprise | T1564.001 | Hidden Files and Directories | CLAIMLOADER has modified file attributes to remain hidden to a standard user.2 |
| enterprise | T1574 | Hijack Execution Flow | - |
| enterprise | T1574.001 | DLL | CLAIMLOADER has used a legitimately signed executable to execute a malicious payload within a DLL file.1 |
| enterprise | T1559 | Inter-Process Communication | - |
| enterprise | T1559.001 | Component Object Model | CLAIMLOADER has leveraged Component Object Model (COM) objects to create a scheduled task using ITaskService interface.2 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.005 | Match Legitimate Resource Name or Location | CLAIMLOADER has imitated legitimate software directories through the creation and storage of the EXE and DLL in C:\ProgramData\ and the use of legitimate looking names of software.2 |
| enterprise | T1106 | Native API | CLAIMLOADER has used various Windows API calls during execution, when establishing persistence and defense evasion.12 CLAIMLOADER has also leveraged the legitimate API functions to run its shellcode through the callback function, including GetDC() and EnumFontsW().1 CLAIMLOADER established persistence by utilizing the API SHSetValue().1 CLAIMLOADER has utilized APIs with callback functions such as EnumpropsExW, EnumSystemLanguageGroupsA, and EnumCalendarInfoExW.2 |
| enterprise | T1027 | Obfuscated Files or Information | - |
| enterprise | T1027.007 | Dynamic API Resolution | CLAIMLOADER has utilized XOR-encrypted API names and native APIs of LdrLoadDll() and LderGetProcedureAddress() to resolve imports dynamically.12 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.005 | Scheduled Task | CLAIMLOADER has created scheduled tasks that execute the loader every five(5) minutes using `schtasks /F /Create /TN " |
| "C:\ProgramData\ |
|||
| enterprise | T1204 | User Execution | - |
| enterprise | T1204.002 | Malicious File | CLAIMLOADER has used tailored decoy documents as part of the installation routine to entice users to open attachments.2 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0129 | Mustang Panda | 12 |
References
-
Golo Muhr, Joshua Chung. (2025, June 23). Hive0154 aka Mustang Panda shifts focus on Tibetan community to deploy Pubload backdoor. Retrieved August 4, 2025. ↩↩↩↩↩↩↩↩↩↩
-
Golo Muhr, Joshua Chung. (2025, May 15). Hive0154 targeting US, Philippines, Pakistan and Taiwan in suspected espionage campaign. Retrieved August 4, 2025. ↩↩↩↩↩↩↩↩↩↩↩↩↩