S1227: StarProxy
StarProxy is custom malware used by Mustang Panda as a post-compromise tool, to enable proxying of traffic between the infected machine and other machines on the same network. [1]
Analyst context for executives and security teams
StarProxy matters because ATT&CK describes it as Windows malware used after compromise to proxy traffic between an infected machine and other systems on the same network. For leaders, the key risk is not only the initially infected endpoint; it is the ability for an intruder to use that endpoint as a relay point, making command-and-control and lateral network access harder to see at the perimeter.
Executive priority
Prioritize validation of internal network visibility, endpoint telemetry, and egress controls around Windows systems that could become relay points. This behavior is material to incident response readiness because containment decisions may need to include internal traffic paths, not just internet-facing indicators. It also supports audit and resilience discussions around segmentation, least privilege, and whether the SOC can prove coverage for post-compromise command-and-control behaviors.
Technical view
ATT&CK lists StarProxy as Windows malware associated through a use relationship with Mustang Panda and linked to internal proxying, protocol or service impersonation, non-application-layer communication, symmetric cryptography, command/script execution, native API use, system time discovery, deobfuscation/decoding, and DLL-related execution or stealth. Because no official detection is provided, SOC teams should validate behavioral coverage rather than rely on a named-malware signature: unusual Windows processes relaying traffic, unexpected internal-to-internal connection brokering, suspicious command interpreter activity, anomalous DLL loads, and network sessions that appear to impersonate legitimate services or use encrypted/custom protocols.
Likely telemetry
- Windows endpoint process creation and parent/child process relationships
- Command and scripting interpreter execution records
- DLL/module load telemetry on Windows endpoints
- Endpoint network connection telemetry, including listening ports and outbound sessions
- Internal east-west network flow records between workstations, servers, and network segments
Detection direction
- Build detections around internal proxy behavior: one Windows host unexpectedly brokering traffic between external or internal endpoints and other internal systems.
- Tune for protocol mismatch or service impersonation, such as traffic that claims to be common service traffic but does not match expected protocol structure or destination patterns.
- Correlate endpoint and network views; network-only monitoring may show a legitimate internal host, while endpoint telemetry may reveal the suspicious process responsible for relay activity.
- Review command interpreter, native API-adjacent behavior, DLL loading, and decode/deobfuscation events as supporting signals rather than standalone proof.
- Account for false positives from legitimate administrative proxies, remote management tools, security scanners, and troubleshooting utilities by baselining approved relay hosts and expected ports.
Mitigation priorities
- Reduce the value of internal proxying through network segmentation and restrictions on workstation-to-workstation and workstation-to-server communication where not required.
- Enforce controlled egress and monitor which internal hosts are allowed to initiate outbound or relay-like traffic.
- Harden Windows endpoints with least privilege, application control where feasible, and controls around untrusted DLL loading and script execution.
- Maintain endpoint and network telemetry retention sufficient for post-compromise reconstruction of relay paths.
- Prepare IR containment procedures that isolate suspected proxy hosts and also investigate systems that communicated through them.
Analyst notes and limits
The ATT&CK object is a malware entry for StarProxy, external ID S1227, in the enterprise domain. The strongest defensive value is the relationship context: StarProxy is a post-compromise proxying tool for Windows, mapped to command-and-control, execution, discovery, and stealth-related techniques. Treat the Mustang Panda relationship as ATT&CK-provided context, not as attribution for any local incident without corroborating evidence.
MITRE provides no official detection guidance, no aliases, and no object-level tactics for StarProxy in the supplied fields. The assessment is therefore behavior-focused and depends on local telemetry, baselines, segmentation design, and incident evidence. No claim is made here about active exploitation, customer exposure, or guaranteed detection coverage.
StarProxy
StarProxy is custom malware used by Mustang Panda as a post-compromise tool, to enable proxying of traffic between the infected machine and other machines on the same network. [1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | StarProxy has leveraged two 256-byte XOR keys to encrypt and decrypt network packets using a custom algorithm.CitationZscaler |
| Enterprise | T1574.001 | DLL Sub-technique | StarProxy has been side-loaded by the legitimate, signed executable, IsoBurner.exe. CitationZscaler |
| Enterprise | T1059 | Command and Scripting Interpreter | StarProxy has used the command line for execution of commands.CitationZscaler |
| Enterprise | T1001.003 | Protocol or Service Impersonation Sub-technique | |
| Enterprise | T1106 | Native API | StarProxy has used native windows API calls such as `GetLocalTime()` to retrieve system data.CitationZscaler |
| Enterprise | T1124 | System Time Discovery | StarProxy has utilized the windows API call `GetLocalTime()` to retrieve a SystemTime structure to generate a seed value.CitationZscaler |
| Enterprise | T1090.001 | Internal Proxy Sub-technique | StarProxy has proxied traffic between infected devices and their C2 servers.CitationZscaler |
| Enterprise | T1095 | Non-Application Layer Protocol | |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | StarProxy has decrypted network packets using a custom algorithm.CitationZscaler |
Groups, software, and campaigns
G0129: Mustang Panda
Mustang Panda is a China-based cyber espionage threat actor that has been conducting operations since at least 2012. Mustang Panda has been known to use tailored phishing lures and decoy documents to deliver malicious payloads. Mustang Panda has targeted government, diplomatic, and non-governmental organizations, including think tanks, religious institutions, and research entities, across the United States, Europe, and Asia, with notable activity in Russia, Mongolia, Myanmar, Pakistan, and Vietnam. [1][2][3][4][5][6][7][8][9][10][11][12][13]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | b4fc075ef486… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Zscaler
Sudeep Singh. (2025, April 16). Latest Mustang Panda Arsenal: ToneShell and StarProxy | P1. Retrieved July 21, 2025.
Open source URL -
[2]
mitre-attack S1227Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.