SplatDropper
SplatDropper is a loader that utilizes native windows API to deliver its payload to the victim environment. SplatDropper has been delivered through RAR archives and used legitimate executable for DLL side-loading. SplatDropper is known to be leveraged by Mustang Panda and was first observed utilized in 2025.
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service |
SplatDropper has created a service to execute a payload.[1] |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information |
SplatDropper has decoded XOR encrypted payload.[1] |
|
| Enterprise | T1574 | .001 | Hijack Execution Flow: DLL |
SplatDropper has leveraged legitimate binaries to conduct DLL side-loading.[1] |
| Enterprise | T1070 | .009 | Indicator Removal: Clear Persistence |
SplatDropper has deleted its malicious payload and removed its own created service to avoid leaving traces of its presence on victim devices.[1] |
| Enterprise | T1106 | Native API |
SplatDropper has utilized hashed Native Windows API calls.[1] |
|
| Enterprise | T1027 | .007 | Obfuscated Files or Information: Dynamic API Resolution |
SplatDropper has leveraged hashed Windows API calls using a seed value of "131313".[1] |
| .013 | Obfuscated Files or Information: Encrypted/Encoded File |
SplatDropper has also utilized XOR encrypted payload.[1] |
||
| Enterprise | T1553 | .002 | Subvert Trust Controls: Code Signing |
SplatDropper has used legitimate signed binaries such as BugSplatHD64.exe for follow-on execution of malicious DLLs through DLL side-loading.[1] |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0129 | Mustang Panda |