S1238 STATICPLUGIN
STATICPLUGIN is a downloader known to be leveraged by Mustang Panda and was first observed utilized in 2025. STATICPLUGIN has utilized a valid certificate in order to bypass endpoint security protections. STATICPLUGIN masqueraded as legitimate software installer by using a custom TForm. STATICPLUGIN has been leveraged to deploy a loader that facilitates follow on malware.1
| Item | Value |
|---|---|
| ID | S1238 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 12 September 2025 |
| Last Modified | 21 October 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1559 | Inter-Process Communication | - |
| enterprise | T1559.001 | Component Object Model | STATICPLUGIN has utilized Windows COM Installer Object to download an MSI package containing files masqueraded as a BMP file.1 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.005 | Match Legitimate Resource Name or Location | STATICPLUGIN has leveraged naming conventions that match legitimate services to include AdobePlugins.exe.1 |
| enterprise | T1036.008 | Masquerade File Type | STATICPLUGIN has masqueraded as a BMP file to hide its true MSI file extension.1 |
| enterprise | T1553 | Subvert Trust Controls | - |
| enterprise | T1553.002 | Code Signing | STATICPLUGIN has been signed with a valid Certificate Authority(CA) to circumvent endpoint defenses.1 |
| enterprise | T1204 | User Execution | - |
| enterprise | T1204.002 | Malicious File | STATICPLUGIN has required user execution to load subsequent malicious payloads.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0129 | Mustang Panda | 1 |