Skip to content

Hide Navigation Hide TOC

CANONSTAGER - S1237 (3d1f234e-6c60-43c1-b1f1-6bbc9e5b8e44)

CANONSTAGER is a loader known to be leveraged by Mustang Panda and was first observed utilized in 2025. Mustang Panda utilizes DLL side-loading to execute within the victim environment prior to delivering a follow-on malicious encrypted payload. CANONSTAGER leverages Thread Local Storage (TLS) and Native Windows APIs within the victim environment to elude detections. CANONSTAGER also hides its code utilizing window procedures and message queues.(Citation: Google Threat Intelligence Group MUSTANG PANDA PLUGX August 2025)

Cluster A Galaxy A Cluster B Galaxy B Level
CANONSTAGER - S1237 (3d1f234e-6c60-43c1-b1f1-6bbc9e5b8e44) Malware Thread Local Storage - T1055.005 (e49ee9d2-0d98-44ef-85e5-5d3100065744) Attack Pattern 1
DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34) Attack Pattern CANONSTAGER - S1237 (3d1f234e-6c60-43c1-b1f1-6bbc9e5b8e44) Malware 1
Dynamic API Resolution - T1027.007 (ea4c2f9c-9df1-477c-8c42-6da1118f2ac4) Attack Pattern CANONSTAGER - S1237 (3d1f234e-6c60-43c1-b1f1-6bbc9e5b8e44) Malware 1
CANONSTAGER - S1237 (3d1f234e-6c60-43c1-b1f1-6bbc9e5b8e44) Malware Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern 1
Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0) Attack Pattern CANONSTAGER - S1237 (3d1f234e-6c60-43c1-b1f1-6bbc9e5b8e44) Malware 1
CANONSTAGER - S1237 (3d1f234e-6c60-43c1-b1f1-6bbc9e5b8e44) Malware Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern 1
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern Thread Local Storage - T1055.005 (e49ee9d2-0d98-44ef-85e5-5d3100065744) Attack Pattern 2
DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34) Attack Pattern Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern 2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Dynamic API Resolution - T1027.007 (ea4c2f9c-9df1-477c-8c42-6da1118f2ac4) Attack Pattern 2
Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0) Attack Pattern Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern 2
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern 2