CANONSTAGER
CANONSTAGER is a loader known to be leveraged by Mustang Panda and was first observed utilized in 2025. Mustang Panda utilizes DLL side-loading to execute within the victim environment prior to delivering a follow-on malicious encrypted payload. CANONSTAGER leverages Thread Local Storage (TLS) and Native Windows APIs within the victim environment to elude detections. CANONSTAGER also hides its code utilizing window procedures and message queues.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1564 | .003 | Hide Artifacts: Hidden Window |
CANONSTAGER has created a new window with a height and width of zero to remain hidden on the screen.[1] |
| Enterprise | T1574 | .001 | Hijack Execution Flow: DLL |
CANONSTAGER has abused legitimate executables to side-load malicious DLLs.[1] |
| Enterprise | T1036 | .005 | Masquerading: Match Legitimate Resource Name or Location |
CANONSTAGER has leveraged naming conventions of its malicious DLL to match legitimate services to include cnmpaui.dll which matches the legitimate executable cnmpaui.exe that is aligned with a Canon Ink Jet Printer Assistant Tool.[1] |
| Enterprise | T1106 | Native API |
CANONSTAGER has leveraged Native API calls to execute code within the victim’s system including |
|
| Enterprise | T1027 | .007 | Obfuscated Files or Information: Dynamic API Resolution |
CANONSTAGER has utilized custom API hashing to obfuscate the Windows APIs being used.[1] |
| Enterprise | T1055 | .005 | Process Injection: Thread Local Storage |
CANONSTAGER uses the Thread Local Storage (TLS) array data structure to store function addresses resolved by its custom API hashing algorithm. The function addresses are later called throughout the binary from offsets into the TLS array.[1] |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0129 | Mustang Panda |