S1233: PAKLOG
PAKLOG is a keylogger known to be leveraged by Mustang Panda and was first observed utilized in 2024. PAKLOG is deployed via a RAR archive (e.g., key.rar), which contains two files: a signed, legitimate binary (PACLOUD.exe) and the malicious PAKLOG DLL (pa_lang2.dll). The PACLOUD.exe binary is used to side-load the PAKLOG DLL which starts with the keylogger functionality.[1]
Analyst context for executives and security teams
PAKLOG matters because it combines a Windows DLL side-loading pattern with keylogging and local collection behaviors. For leaders, the practical risk is credential and sensitive-data capture from user workstations, potentially giving an intruder more access without needing traditional password dumping. The supplied ATT&CK context ties PAKLOG to Mustang Panda and describes delivery via a RAR archive containing a legitimate signed binary and a malicious DLL, making trust decisions around signed executables and archive-delivered software especially important.
Executive priority
Prioritize validation of endpoint visibility and response playbooks for signed-binary abuse, DLL side-loading, and keylogging on Windows systems. This is relevant to identity risk, incident containment, and audit evidence because captured keystrokes or clipboard data can undermine MFA workflows, privileged access controls, and user trust even when malware execution appears limited to a workstation.
Technical view
SOC and IR teams should validate whether they can observe PACLOUD.exe-like legitimate binary execution from archive extraction paths, unexpected DLL loads such as pa_lang2.dll, and follow-on behaviors mapped to keylogging, clipboard collection, application window discovery, process discovery, system time discovery, local data staging, native API usage, encoded or encrypted files, code signing abuse, and DLL side-loading. Because MITRE provides no official detection text for PAKLOG, detection engineering should be behavior-led rather than dependent on a single filename or signature.
Likely telemetry
- Windows endpoint process creation events, including parent-child relationships from archive extraction or user download locations
- Image load or module load telemetry for DLLs loaded by legitimate signed binaries
- File creation and modification telemetry for RAR contents, DLLs, encoded or encrypted files, and local staging locations
- Code signing metadata for executables and DLLs, including signer, path, and trust state
- Clipboard access or monitoring events where available
Detection direction
- Correlate archive-delivered execution with signed binary loading of an unexpected DLL from the same directory or user-writable path.
- Tune for DLL side-loading patterns involving legitimate binaries rather than treating signed status alone as benign.
- Look for clusters of collection and discovery behaviors: keylogging indicators, clipboard access, application window discovery, process discovery, local staging, and encoded or encrypted artifacts.
- Treat filenames from the ATT&CK description as useful leads, not complete detection logic; adversaries may alter names or paths.
- Account for false positives from legitimate software that loads DLLs from application directories; prioritize unusual location, recent archive extraction, rare signer/path combinations, and collection behavior.
Mitigation priorities
- Harden Windows endpoints against DLL side-loading by reducing execution from user-writable and archive extraction locations where operationally feasible.
- Validate application control or allowlisting policies for legitimate signed binaries that can be abused to load adjacent DLLs.
- Ensure endpoint protection can inspect archives and monitor post-extraction execution behavior.
- Strengthen identity protections assuming possible credential capture: rapid password reset procedures, privileged session review, and MFA-resistant incident playbooks where appropriate.
- Review controls and logging for clipboard and keystroke capture risks on high-value workstations.
Analyst notes and limits
The ATT&CK object identifies PAKLOG as Windows malware first observed in 2024, deployed via a RAR archive with a legitimate signed PACLOUD.exe and malicious pa_lang2.dll, and used by Mustang Panda. The most decision-useful relationships are Keylogging, Clipboard Data, DLL side-loading, Code Signing, discovery behaviors, local staging, and encrypted or encoded files.
MITRE does not provide official detection guidance, aliases, tactics for the malware object, or detailed indicators beyond the cited description. Local validation is required to determine whether relevant endpoint, module-load, archive, clipboard, and identity telemetry is collected and retained.
PAKLOG
PAKLOG is a keylogger known to be leveraged by Mustang Panda and was first observed utilized in 2024. PAKLOG is deployed via a RAR archive (e.g., key.rar), which contains two files: a signed, legitimate binary (PACLOUD.exe) and the malicious PAKLOG DLL (pa_lang2.dll). The PACLOUD.exe binary is used to side-load the PAKLOG DLL which starts with the keylogger functionality.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | PAKLOG has utilized a simple encoding mechanism to encode characters in the buffer.CitationZscaler PAKLOG CorkLog SplatCloak Splatdropper April 2025 |
| Enterprise | T1056.001 | Keylogging Sub-technique | PAKLOG has captured keystrokes using Windows API.CitationZscaler PAKLOG CorkLog SplatCloak Splatdropper April 2025 |
| Enterprise | T1115 | Clipboard Data | PAKLOG has monitored and extracted clipboard contents.CitationZscaler PAKLOG CorkLog SplatCloak Splatdropper April 2025 |
| Enterprise | T1106 | Native API | PAKLOG has used Windows API `SetWindowsHookExW` with `idHook` set to `WH_KEYBOARD_LL` and a custom hook procedure to support its keylogging functions.CitationZscaler PAKLOG CorkLog SplatCloak Splatdropper April 2025 |
| Enterprise | T1553.002 | Code Signing Sub-technique | PAKLOG has used legitimate signed binaries such as PACLOUD.exe for follow-on execution of malicious DLLs through DLL Side-Loading.CitationZscaler PAKLOG CorkLog SplatCloak Splatdropper April 2025 |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | PAKLOG has stored the captured data in a file located `C:\\Users\\Public\\Libraries\\record.txt`.CitationZscaler PAKLOG CorkLog SplatCloak Splatdropper April 2025 |
| Enterprise | T1010 | Application Window Discovery | |
| Enterprise | T1574.001 | DLL Sub-technique | PAKLOG has leveraged legitimate binaries to conduct DLL side-loading.CitationZscaler PAKLOG CorkLog SplatCloak Splatdropper April 2025 |
| Enterprise | T1057 | Process Discovery | PAKLOG has detected and logged the full path of processes active in the foreground using Windows API calls.CitationZscaler PAKLOG CorkLog SplatCloak Splatdropper April 2025 |
| Enterprise | T1124 | System Time Discovery | PAKLOG has collected a timestamp to log the precise time a key was pressed, formatted as %Y-%m-%d %H:%M:%S.CitationZscaler PAKLOG CorkLog SplatCloak Splatdropper April 2025 |
Groups, software, and campaigns
G0129: Mustang Panda
Mustang Panda is a China-based cyber espionage threat actor that has been conducting operations since at least 2012. Mustang Panda has been known to use tailored phishing lures and decoy documents to deliver malicious payloads. Mustang Panda has targeted government, diplomatic, and non-governmental organizations, including think tanks, religious institutions, and research entities, across the United States, Europe, and Asia, with notable activity in Russia, Mongolia, Myanmar, Pakistan, and Vietnam. [1][2][3][4][5][6][7][8][9][10][11][12][13]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 7cef7ad527f5… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Zscaler PAKLOG CorkLog SplatCloak Splatdropper April 2025
Sudeep Singh. (2025, April 16). Latest Mustang Panda Arsenal: PAKLOG, CorKLOG, and SplatCloak | P2. Retrieved September 12, 2025.
Open source URL -
[2]
mitre-attack S1233Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.