1. Home
  2. Software
  3. CLAIMLOADER

CLAIMLOADER

CLAIMLOADER is a malware variant that frequently accompanies legitimate executables that are used for DLL side-loading known to be leveraged by Mustang Panda and was first observed utilized in 2021.[1][2]

ID: S1236
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 12 September 2025
Last Modified: 21 October 2025
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

CLAIMLOADER has added Registry Run keys to achieve persistence using HKCU\Software\Microsoft\Windows\CurrentVersion\Run.[1][2]
Enterprise T1140 Deobfuscate/Decode Files or Information

CLAIMLOADER has decoded its payload prior to execution.[1][2]
Enterprise T1480 .002 Execution Guardrails: Mutual Exclusion

CLAIMLOADER has created hardcoded mutex to ensure only a single instance of the malware is running.[1][2]
Enterprise T1564 .001 Hide Artifacts: Hidden Files and Directories

CLAIMLOADER has modified file attributes to remain hidden to a standard user.[2]
Enterprise T1574 .001 Hijack Execution Flow: DLL

CLAIMLOADER has used a legitimately signed executable to execute a malicious payload within a DLL file.[1]
Enterprise T1559 .001 Inter-Process Communication: Component Object Model

CLAIMLOADER has leveraged Component Object Model (COM) objects to create a scheduled task using ITaskService interface.[2]
Enterprise T1036 .005 Masquerading: Match Legitimate Resource Name or Location

CLAIMLOADER has imitated legitimate software directories through the creation and storage of the EXE and DLL in C:\ProgramData\ and the use of legitimate looking names of software.[2]
Enterprise T1106 Native API

CLAIMLOADER has used various Windows API calls during execution, when establishing persistence and defense evasion.[1][2] CLAIMLOADER has also leveraged the legitimate API functions to run its shellcode through the callback function, including GetDC() and EnumFontsW().[1] CLAIMLOADER established persistence by utilizing the API SHSetValue().[1] CLAIMLOADER has utilized APIs with callback functions such as EnumpropsExW, EnumSystemLanguageGroupsA, and EnumCalendarInfoExW.[2]
Enterprise T1027 .007 Obfuscated Files or Information: Dynamic API Resolution

CLAIMLOADER has utilized XOR-encrypted API names and native APIs of LdrLoadDll() and LderGetProcedureAddress() to resolve imports dynamically.[1][2]
Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

CLAIMLOADER has created scheduled tasks that execute the loader every five(5) minutes using schtasks /F /Create /TN \"<fake_software_name>\" /SC minute /MO 5 /TR\"C:\\ProgramData\\<path_to_exe> <hardcoded_argument>\.[2]
Enterprise T1204 .002 User Execution: Malicious File

CLAIMLOADER has used tailored decoy documents as part of the installation routine to entice users to open attachments.[2]

Groups That Use This Software

ID Name References
G0129 Mustang Panda

[1][2]

References

  1. Golo Muhr, Joshua Chung. (2025, June 23). Hive0154 aka Mustang Panda shifts focus on Tibetan community to deploy Pubload backdoor. Retrieved August 4, 2025.
  1. Golo Muhr, Joshua Chung. (2025, May 15). Hive0154 targeting US, Philippines, Pakistan and Taiwan in suspected espionage campaign. Retrieved August 4, 2025.