S1237 CANONSTAGER
CANONSTAGER is a loader known to be leveraged by Mustang Panda and was first observed utilized in 2025. Mustang Panda utilizes DLL side-loading to execute within the victim environment prior to delivering a follow-on malicious encrypted payload. CANONSTAGER leverages Thread Local Storage (TLS) and Native Windows APIs within the victim environment to elude detections. CANONSTAGER also hides its code utilizing window procedures and message queues.1
| Item | Value |
|---|---|
| ID | S1237 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 12 September 2025 |
| Last Modified | 22 October 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1564 | Hide Artifacts | - |
| enterprise | T1564.003 | Hidden Window | CANONSTAGER has created a new window with a height and width of zero to remain hidden on the screen.1 |
| enterprise | T1574 | Hijack Execution Flow | - |
| enterprise | T1574.001 | DLL | CANONSTAGER has abused legitimate executables to side-load malicious DLLs.1 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.005 | Match Legitimate Resource Name or Location | CANONSTAGER has leveraged naming conventions of its malicious DLL to match legitimate services to include cnmpaui.dll which matches the legitimate executable cnmpaui.exe that is aligned with a Canon Ink Jet Printer Assistant Tool.1 |
| enterprise | T1106 | Native API | CANONSTAGER has leveraged Native API calls to execute code within the victim’s system including GetCurrentDirectoryW, RegisterClassW and CreateWindowExW.1 CANONSTAGER also created a new overlapped window that initiates callback functions to a windows procedure that processes Windows messages until a designated message type of 0x0018 WM_SHOWWINDOW is observed which then initiates the deployment of a subsequent malicious payload.1 |
| enterprise | T1027 | Obfuscated Files or Information | - |
| enterprise | T1027.007 | Dynamic API Resolution | CANONSTAGER has utilized custom API hashing to obfuscate the Windows APIs being used.1 |
| enterprise | T1055 | Process Injection | - |
| enterprise | T1055.005 | Thread Local Storage | CANONSTAGER uses the Thread Local Storage (TLS) array data structure to store function addresses resolved by its custom API hashing algorithm. The function addresses are later called throughout the binary from offsets into the TLS array.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0129 | Mustang Panda | 1 |