Skip to content

Hide Navigation Hide TOC

CANONSTAGER - S1237 (3d1f234e-6c60-43c1-b1f1-6bbc9e5b8e44)

CANONSTAGER is a loader known to be leveraged by Mustang Panda and was first observed utilized in 2025. Mustang Panda utilizes DLL side-loading to execute within the victim environment prior to delivering a follow-on malicious encrypted payload. CANONSTAGER leverages Thread Local Storage (TLS) and Native Windows APIs within the victim environment to elude detections. CANONSTAGER also hides its code utilizing window procedures and message queues.(Citation: Google Threat Intelligence Group MUSTANG PANDA PLUGX August 2025)

Cluster A Galaxy A Cluster B Galaxy B Level
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern CANONSTAGER - S1237 (3d1f234e-6c60-43c1-b1f1-6bbc9e5b8e44) Malware 1
Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0) Attack Pattern CANONSTAGER - S1237 (3d1f234e-6c60-43c1-b1f1-6bbc9e5b8e44) Malware 1
DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34) Attack Pattern CANONSTAGER - S1237 (3d1f234e-6c60-43c1-b1f1-6bbc9e5b8e44) Malware 1
Thread Local Storage - T1055.005 (e49ee9d2-0d98-44ef-85e5-5d3100065744) Attack Pattern CANONSTAGER - S1237 (3d1f234e-6c60-43c1-b1f1-6bbc9e5b8e44) Malware 1
CANONSTAGER - S1237 (3d1f234e-6c60-43c1-b1f1-6bbc9e5b8e44) Malware Dynamic API Resolution - T1027.007 (ea4c2f9c-9df1-477c-8c42-6da1118f2ac4) Attack Pattern 1
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern CANONSTAGER - S1237 (3d1f234e-6c60-43c1-b1f1-6bbc9e5b8e44) Malware 1
Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0) Attack Pattern Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern 2
DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34) Attack Pattern Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern 2
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern Thread Local Storage - T1055.005 (e49ee9d2-0d98-44ef-85e5-5d3100065744) Attack Pattern 2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Dynamic API Resolution - T1027.007 (ea4c2f9c-9df1-477c-8c42-6da1118f2ac4) Attack Pattern 2
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern 2