S1232: SplatDropper
SplatDropper is a loader that utilizes native windows API to deliver its payload to the victim environment. SplatDropper has been delivered through RAR archives and used legitimate executable for DLL side-loading. SplatDropper is known to be leveraged by Mustang Panda and was first observed utilized in 2025.
Analyst context for executives and security teams
SplatDropper matters because it is a Windows loader, not just a standalone malware name. Loaders are often the point where an intrusion turns from initial delivery into payload execution. The ATT&CK data indicates use of native Windows APIs, RAR-based delivery, legitimate executables for DLL side-loading, encoded or obfuscated content, service-based persistence, and cleanup of persistence artifacts. For leaders, this means coverage should be judged by whether the organization can see suspicious archive execution, DLL side-loading around trusted binaries, Windows service changes, and post-event cleanup—not by malware name matching alone.
Executive priority
Prioritize validation of Windows endpoint visibility and incident response readiness around loader activity. The business risk is that legitimate-looking execution paths and code-signing or DLL abuse can reduce confidence in allow-listing, antivirus-only controls, and audit evidence after the fact. Security leaders should ask whether SOC teams can reconstruct execution from archive delivery through service creation or modification, whether IR teams can preserve evidence if persistence artifacts are cleared, and whether controls treat trusted executables loading unexpected DLLs as a high-value investigation path.
Technical view
SplatDropper is documented for Windows and is associated with native API use, DLL side-loading, dynamic API resolution, encoded/encrypted files, deobfuscation, Windows service persistence, code signing abuse, and clearing persistence artifacts. Detection engineering should map coverage to the related ATT&CK techniques rather than relying on a supplied malware detection analytic, because MITRE does not provide one for this object. Validate monitoring for legitimate executables loading unusual DLLs, service creation or modification, suspicious archive-to-execution chains, encoded payload staging followed by decode/deobfuscation behavior, and evidence removal related to persistence. The relationship to Mustang Panda provides threat-intelligence context, but local prioritization should be based on exposure to Windows endpoints and the organization’s ability to observe these behaviors.
Likely telemetry
- Windows process creation and parent-child process relationships, especially execution originating from extracted RAR archive contents
- DLL load events showing legitimate executables loading unexpected or newly written DLLs
- File creation, modification, and deletion telemetry for archives, payload files, encoded/encrypted files, and cleanup activity
- Windows service creation, modification, deletion, and related registry changes
- Code-signing metadata for executables and DLLs, including signer, trust status, and unusual signed binaries in user-writable locations
Detection direction
- Do not depend on a SplatDropper-specific signature; MITRE provides no official detection text for this software object.
- Tune for behavior chains: archive extraction followed by legitimate executable launch, unexpected DLL load, payload decode/deobfuscation, and service creation or modification.
- Baseline legitimate DLL loading for high-use signed applications so side-loading alerts can distinguish expected application behavior from unusual DLL path, filename, or directory patterns.
- Correlate Windows service changes with recent file drops and process execution, because service telemetry alone can be noisy in administrative environments.
- Review blind spots around RAR archive handling, user-writable directories, DLL load visibility, and retention of deleted-file or service-change evidence.
Mitigation priorities
- Strengthen endpoint visibility first: ensure Windows process, DLL load, file, service, registry, and code-signing telemetry is collected and retained long enough for IR reconstruction.
- Harden execution paths by reducing unnecessary execution from user-writable and archive extraction locations where feasible.
- Apply application control or allow-listing policies with attention to DLL side-loading risk, not only executable reputation.
- Restrict and monitor permissions to create or modify Windows services, especially outside approved administration workflows.
- Improve archive handling and user awareness controls for delivered RAR files where applicable to the environment.
Analyst notes and limits
The object is a malware/software entry for SplatDropper, first observed in 2025 per the supplied ATT&CK description. It is related to Mustang Panda and to several ATT&CK techniques that provide the practical detection and response map. The strongest defensive value is in validating coverage of Windows loader behaviors: native API use, obfuscation, DLL side-loading, service persistence, code-signing trust assumptions, and cleanup of persistence artifacts.
ATT&CK does not provide official detection guidance, aliases, labels, or explicit tactics for the SplatDropper software object itself. The take is therefore based on the official description, Windows platform field, external reference, and supplied relationships. Local telemetry, file samples, incident evidence, and environment baselines are required before making claims about exposure, detection coverage, or attribution.
SplatDropper
SplatDropper is a loader that utilizes native windows API to deliver its payload to the victim environment. SplatDropper has been delivered through RAR archives and used legitimate executable for DLL side-loading. SplatDropper is known to be leveraged by Mustang Panda and was first observed utilized in 2025.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1106 | Native API | SplatDropper has utilized hashed Native Windows API calls.CitationZscaler PAKLOG CorkLog SplatCloak Splatdropper April 2025 |
| Enterprise | T1574.001 | DLL Sub-technique | SplatDropper has leveraged legitimate binaries to conduct DLL side-loading.CitationZscaler PAKLOG CorkLog SplatCloak Splatdropper April 2025 |
| Enterprise | T1027.007 | Dynamic API Resolution Sub-technique | SplatDropper has leveraged hashed Windows API calls using a seed value of "131313".CitationZscaler PAKLOG CorkLog SplatCloak Splatdropper April 2025 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | SplatDropper has also utilized XOR encrypted payload.CitationZscaler PAKLOG CorkLog SplatCloak Splatdropper April 2025 |
| Enterprise | T1553.002 | Code Signing Sub-technique | SplatDropper has used legitimate signed binaries such as BugSplatHD64.exe for follow-on execution of malicious DLLs through DLL side-loading.CitationZscaler PAKLOG CorkLog SplatCloak Splatdropper April 2025 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | SplatDropper has decoded XOR encrypted payload.CitationZscaler PAKLOG CorkLog SplatCloak Splatdropper April 2025 |
| Enterprise | T1070.009 | Clear Persistence Sub-technique | SplatDropper has deleted its malicious payload and removed its own created service to avoid leaving traces of its presence on victim devices.CitationZscaler PAKLOG CorkLog SplatCloak Splatdropper April 2025 |
| Enterprise | T1543.003 | Windows Service Sub-technique | SplatDropper has created a service to execute a payload.CitationZscaler PAKLOG CorkLog SplatCloak Splatdropper April 2025 |
Groups, software, and campaigns
G0129: Mustang Panda
Mustang Panda is a China-based cyber espionage threat actor that has been conducting operations since at least 2012. Mustang Panda has been known to use tailored phishing lures and decoy documents to deliver malicious payloads. Mustang Panda has targeted government, diplomatic, and non-governmental organizations, including think tanks, religious institutions, and research entities, across the United States, Europe, and Asia, with notable activity in Russia, Mongolia, Myanmar, Pakistan, and Vietnam. [1][2][3][4][5][6][7][8][9][10][11][12][13]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 2e84ca1491dd… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack S1232Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.