STATICPLUGIN
STATICPLUGIN is a downloader known to be leveraged by Mustang Panda and was first observed utilized in 2025. STATICPLUGIN has utilized a valid certificate in order to bypass endpoint security protections. STATICPLUGIN masqueraded as legitimate software installer by using a custom TForm. STATICPLUGIN has been leveraged to deploy a loader that facilitates follow on malware.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1559 | .001 | Inter-Process Communication: Component Object Model |
STATICPLUGIN has utilized Windows COM Installer Object to download an MSI package containing files masqueraded as a BMP file.[1] |
| Enterprise | T1036 | .005 | Masquerading: Match Legitimate Resource Name or Location |
STATICPLUGIN has leveraged naming conventions that match legitimate services to include AdobePlugins.exe.[1] |
| .008 | Masquerading: Masquerade File Type |
STATICPLUGIN has masqueraded as a BMP file to hide its true MSI file extension.[1] |
||
| Enterprise | T1553 | .002 | Subvert Trust Controls: Code Signing |
STATICPLUGIN has been signed with a valid Certificate Authority(CA) to circumvent endpoint defenses.[1] |
| Enterprise | T1204 | .002 | User Execution: Malicious File |
STATICPLUGIN has required user execution to load subsequent malicious payloads.[1] |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0129 | Mustang Panda |