SplatCloak - S1234 (f39c6d39-0165-46db-a7ae-43341c428d22)

SplatCloak is a malware that disables EDR-related routines used by Windows Defender and Kaspersky to aid in evading detection. SplatCloak has been deployed by SplatDropper and is known to be leveraged by Mustang Panda since 2025.(Citation: Zscaler PAKLOG CorkLog SplatCloak Splatdropper April 2025)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	SplatCloak - S1234 (f39c6d39-0165-46db-a7ae-43341c428d22)	Malware	1
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	SplatCloak - S1234 (f39c6d39-0165-46db-a7ae-43341c428d22)	Malware	1
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	SplatCloak - S1234 (f39c6d39-0165-46db-a7ae-43341c428d22)	Malware	1
Invalid Code Signature - T1036.001 (b4b7458f-81f2-4d38-84be-1c5ba0167a52)	Attack Pattern	SplatCloak - S1234 (f39c6d39-0165-46db-a7ae-43341c428d22)	Malware	1
SplatCloak - S1234 (f39c6d39-0165-46db-a7ae-43341c428d22)	Malware	Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579)	Attack Pattern	1
SplatCloak - S1234 (f39c6d39-0165-46db-a7ae-43341c428d22)	Malware	File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	1
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58)	Attack Pattern	2
Invalid Code Signature - T1036.001 (b4b7458f-81f2-4d38-84be-1c5ba0167a52)	Attack Pattern	Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	2
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529)	Attack Pattern	Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579)	Attack Pattern	2