PAKLOG
PAKLOG is a keylogger known to be leveraged by Mustang Panda and was first observed utilized in 2024. PAKLOG is deployed via a RAR archive (e.g., key.rar), which contains two files: a signed, legitimate binary (PACLOUD.exe) and the malicious PAKLOG DLL (pa_lang2.dll). The PACLOUD.exe binary is used to side-load the PAKLOG DLL which starts with the keylogger functionality.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1010 | Application Window Discovery |
PAKLOG has used |
|
| Enterprise | T1115 | Clipboard Data | ||
| Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
PAKLOG has stored the captured data in a file located |
| Enterprise | T1574 | .001 | Hijack Execution Flow: DLL |
PAKLOG has leveraged legitimate binaries to conduct DLL side-loading.[1] |
| Enterprise | T1056 | .001 | Input Capture: Keylogging | |
| Enterprise | T1106 | Native API |
PAKLOG has used Windows API |
|
| Enterprise | T1027 | .013 | Obfuscated Files or Information: Encrypted/Encoded File |
PAKLOG has utilized a simple encoding mechanism to encode characters in the buffer.[1] |
| Enterprise | T1057 | Process Discovery |
PAKLOG has detected and logged the full path of processes active in the foreground using Windows API calls.[1] |
|
| Enterprise | T1553 | .002 | Subvert Trust Controls: Code Signing |
PAKLOG has used legitimate signed binaries such as PACLOUD.exe for follow-on execution of malicious DLLs through DLL Side-Loading.[1] |
| Enterprise | T1124 | System Time Discovery |
PAKLOG has collected a timestamp to log the precise time a key was pressed, formatted as %Y-%m-%d %H:%M:%S.[1] |
|
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0129 | Mustang Panda |