Skip to content

Hide Navigation Hide TOC

CANONSTAGER - S1237 (3d1f234e-6c60-43c1-b1f1-6bbc9e5b8e44)

CANONSTAGER is a loader known to be leveraged by Mustang Panda and was first observed utilized in 2025. Mustang Panda utilizes DLL side-loading to execute within the victim environment prior to delivering a follow-on malicious encrypted payload. CANONSTAGER leverages Thread Local Storage (TLS) and Native Windows APIs within the victim environment to elude detections. CANONSTAGER also hides its code utilizing window procedures and message queues.(Citation: Google Threat Intelligence Group MUSTANG PANDA PLUGX August 2025)

Cluster A Galaxy A Cluster B Galaxy B Level
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern CANONSTAGER - S1237 (3d1f234e-6c60-43c1-b1f1-6bbc9e5b8e44) Malware 1
Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0) Attack Pattern CANONSTAGER - S1237 (3d1f234e-6c60-43c1-b1f1-6bbc9e5b8e44) Malware 1
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern CANONSTAGER - S1237 (3d1f234e-6c60-43c1-b1f1-6bbc9e5b8e44) Malware 1
DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34) Attack Pattern CANONSTAGER - S1237 (3d1f234e-6c60-43c1-b1f1-6bbc9e5b8e44) Malware 1
CANONSTAGER - S1237 (3d1f234e-6c60-43c1-b1f1-6bbc9e5b8e44) Malware Thread Local Storage - T1055.005 (e49ee9d2-0d98-44ef-85e5-5d3100065744) Attack Pattern 1
Dynamic API Resolution - T1027.007 (ea4c2f9c-9df1-477c-8c42-6da1118f2ac4) Attack Pattern CANONSTAGER - S1237 (3d1f234e-6c60-43c1-b1f1-6bbc9e5b8e44) Malware 1
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern 2
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0) Attack Pattern 2
DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34) Attack Pattern Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern 2
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern Thread Local Storage - T1055.005 (e49ee9d2-0d98-44ef-85e5-5d3100065744) Attack Pattern 2
Dynamic API Resolution - T1027.007 (ea4c2f9c-9df1-477c-8c42-6da1118f2ac4) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 2