S1234: SplatCloak
SplatCloak is a malware that disables EDR-related routines used by Windows Defender and Kaspersky to aid in evading detection. SplatCloak has been deployed by SplatDropper and is known to be leveraged by Mustang Panda since 2025.[1]
Analyst context for executives and security teams
SplatCloak matters because its described purpose is to interfere with endpoint security routines on Windows, specifically related to Windows Defender and Kaspersky, to help evade detection. For leaders, the decision point is not just whether this malware is present; it is whether the organization can prove its endpoint controls remain healthy, monitored, and independently observable when an adversary tries to blind them.
Executive priority
Treat this as a control-resilience and incident-readiness issue. The supplied ATT&CK context links SplatCloak to Mustang Panda and deployment by SplatDropper, but the practical priority is validating that EDR/AV tampering, invalid code signatures, security-tool discovery, and discovery activity would generate timely evidence. This supports budget and audit decisions around endpoint hardening, tamper protection, security tool health monitoring, and SOC escalation paths when defensive visibility is degraded.
Technical view
SplatCloak is a Windows malware entry with no official ATT&CK detection text provided. Relationship context indicates use of Invalid Code Signature, System Information Discovery, File and Directory Discovery, Native API, Security Software Discovery, and Disable or Modify Tools. SOC and IR teams should validate coverage around suspicious Windows binaries with invalid signatures, processes querying system and security-tool information, enumeration of files and directories, and events showing security products being stopped, modified, degraded, or losing expected telemetry. Because the object specifically references Windows Defender and Kaspersky routines, defenders should confirm what health, tamper, service, configuration, and alert data is available for those products where deployed.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- Windows service start/stop and security product health events
- Windows Defender and Kaspersky status, tamper, configuration, update, and alert logs where deployed
- File creation, modification, and execution metadata for suspicious binaries
- Digital signature validation results, especially invalid or misleading signatures
Detection direction
- Start with control-health detection: alert when endpoint security tools are disabled, modified, fail to report, or unexpectedly lose protection status.
- Correlate invalid code signature findings with new or unusual executable activity rather than treating signature failure alone as conclusive evidence.
- Look for discovery behavior that precedes or accompanies security-tool tampering, including security software discovery, system information discovery, and file/directory enumeration.
- Tune for false positives from legitimate administration, software updates, and security-tool maintenance by using approved change windows, known admin tools, and expected management systems as context.
- Validate that SOC workflows escalate loss of endpoint visibility as a security event, not only as an IT operations issue.
Mitigation priorities
- Prioritize tamper-resistant configuration and health monitoring for endpoint protection tools used in the Windows estate.
- Ensure independent log forwarding or central collection so endpoint evidence is not lost when a local security tool is impaired.
- Restrict administrative privileges and control who or what can stop, reconfigure, or uninstall security software.
- Use application control and code-signing validation policies where feasible to reduce execution of unsigned or invalidly signed binaries.
- Maintain IR procedures for rapid isolation and evidence preservation when endpoint defenses are degraded.
Analyst notes and limits
The ATT&CK entry is new in the supplied data, has no official detection section, and lists no tactics directly on the malware object. The strongest supported defensive interpretation is defense impairment on Windows endpoints, with relationship-driven context for invalid signatures, discovery, native API use, and security-tool tampering. Local validation is required to determine whether Windows Defender, Kaspersky, or other endpoint controls are present and what telemetry they expose.
This take is based only on the supplied ATT&CK fields, external reference, and relationships. It does not assert current exploitation, customer exposure, successful detection, or confirmed attribution in any environment. Technique relationships describe reported behavior context but do not provide complete procedure-level detail or a detection rule.
SplatCloak
SplatCloak is a malware that disables EDR-related routines used by Windows Defender and Kaspersky to aid in evading detection. SplatCloak has been deployed by SplatDropper and is known to be leveraged by Mustang Panda since 2025.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1685 | Disable or Modify Tools | SplatCloak has identified and disabled API callback features of Windows Defender and Kaspersky.CitationZscaler PAKLOG CorkLog SplatCloak Splatdropper April 2025 |
| Enterprise | T1082 | System Information Discovery | SplatCloak has collected the Windows build number using the windows kernel API `RtlGetVersion` to determine if the response is 19000 or higher (Windows 10 version 2004 or later).CitationZscaler PAKLOG CorkLog SplatCloak Splatdropper April 2025 |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | SplatCloak has identified drivers of AV solutions by searching for related filenames, keywords and signed certificates.CitationZscaler PAKLOG CorkLog SplatCloak Splatdropper April 2025 |
| Enterprise | T1036.001 | Invalid Code Signature Sub-technique | SplatCloak has used a revoked certificate to exploit Windows driver execution policy where certificates issued before a specific date could still load.CitationZscaler PAKLOG CorkLog SplatCloak Splatdropper April 2025 |
| Enterprise | T1083 | File and Directory Discovery | SplatCloak has used Windows API to identify files associated with Windows Defender and Kaspersky.CitationZscaler PAKLOG CorkLog SplatCloak Splatdropper April 2025 |
| Enterprise | T1106 | Native API | SplatCloak has utilized Native Windows API calls dynamically through `ZwQuerySystemInformation`.CitationZscaler PAKLOG CorkLog SplatCloak Splatdropper April 2025 |
Groups, software, and campaigns
G0129: Mustang Panda
Mustang Panda is a China-based cyber espionage threat actor that has been conducting operations since at least 2012. Mustang Panda has been known to use tailored phishing lures and decoy documents to deliver malicious payloads. Mustang Panda has targeted government, diplomatic, and non-governmental organizations, including think tanks, religious institutions, and research entities, across the United States, Europe, and Asia, with notable activity in Russia, Mongolia, Myanmar, Pakistan, and Vietnam. [1][2][3][4][5][6][7][8][9][10][11][12][13]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 0644dff0b22c… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Zscaler PAKLOG CorkLog SplatCloak Splatdropper April 2025
Sudeep Singh. (2025, April 16). Latest Mustang Panda Arsenal: PAKLOG, CorKLOG, and SplatCloak | P2. Retrieved September 12, 2025.
Open source URL -
[2]
mitre-attack S1234Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.