S1235: CorKLOG
CorKLOG is a keylogger known to be leveraged by Mustang Panda and was first observed utilized in 2024. CorKLOG is delivered through a RAR archive (e.g., src.rar), which contains two files: an executable (lcommute.exe) and the CorKLOG DLL (mscorsvc.dll). CorKLOG has established persistence on the system by creating services or with scheduled tasks.[1]
Analyst context for executives and security teams
CorKLOG is a Windows keylogger associated in ATT&CK with Mustang Panda and first observed in 2024. Its business significance is credential risk: keystroke capture can undermine identity controls, enable follow-on access, and complicate incident scoping because the affected user’s typed secrets may need to be treated as exposed. ATT&CK also links CorKLOG to persistence through Windows services or scheduled tasks, DLL abuse, encoded/encrypted files, local data staging, and code signing, making it a useful test case for whether endpoint, identity, and SOC controls can connect “quiet” persistence and collection activity into a credible incident picture.
Executive priority
Prioritize CorKLOG as an identity and endpoint resilience concern, especially for Windows environments where users handle privileged, diplomatic, government, research, NGO, or other sensitive information. Leaders should ask whether the organization can rapidly determine which hosts created unusual services or scheduled tasks, whether suspicious DLL execution is visible, and whether potentially captured credentials can be reset and investigated quickly. Because ATT&CK provides no official detection text for this object, coverage should be evidenced through local telemetry validation rather than assumed from tool ownership.
Technical view
For SOC, detection engineering, and IR teams, validate Windows visibility around the behaviors ATT&CK relates to CorKLOG: RAR-delivered executable and DLL artifacts, DLL execution or side-loading patterns, creation or modification of services, scheduled task creation, encoded or encrypted payload content followed by decode/deobfuscation activity, local staging of collected data, and code-signing trust decisions. The named example artifacts in the ATT&CK description are src.rar, lcommute.exe, and mscorsvc.dll; use them as reference context, not as complete detection coverage. Investigations should correlate persistence events with process ancestry, file creation, signature metadata, user context, and any evidence of keylogging or staged collection.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- Windows service creation and modification events
- Windows scheduled task creation, modification, and execution events
- File creation and archive extraction telemetry for RAR archives, executables, and DLLs
- DLL load telemetry and module path metadata
Detection direction
- Validate detections for newly created or modified Windows services that execute from unusual user-writable or recently extracted paths.
- Validate detections for scheduled tasks created by uncommon parent processes or tied to recently dropped executables or DLLs.
- Tune DLL abuse analytics around suspicious DLL load paths, mismatched executable/DLL locations, and recently extracted DLLs, while accounting for legitimate enterprise software that loads local DLLs.
- Do not rely only on the example filenames; adversaries can rename archives, executables, and DLLs.
- Review how code signing is handled: signed binaries should not be automatically trusted without considering path, prevalence, parent process, and behavior.
Mitigation priorities
- Harden Windows persistence surfaces by restricting who can create services and scheduled tasks and by monitoring administrative changes.
- Apply application control or allowlisting where operationally feasible to reduce execution of untrusted executables and DLLs from user-writable or archive-extraction paths.
- Strengthen credential protection and incident response playbooks so potentially typed credentials from affected hosts can be rotated and reviewed quickly.
- Reduce phishing and archive-delivery risk through user awareness, attachment handling controls, and endpoint inspection of compressed files.
- Treat code-signing as a signal, not a guarantee; maintain policy and review processes for newly seen or unusual signed binaries.
Analyst notes and limits
The ATT&CK object identifies CorKLOG as a Windows keylogger leveraged by Mustang Panda, delivered through a RAR archive containing an executable and DLL, with persistence via services or scheduled tasks. Relationship context links it to keylogging, local data staging, encoded/encrypted files, deobfuscation, Windows services, scheduled tasks, code signing, and DLL abuse. These relationships are the strongest basis for defensive validation.
No official ATT&CK detection text, aliases, labels, or malware tactics were supplied for CorKLOG. The assessment should therefore be treated as behavior-driven guidance, not proof of current exposure or guaranteed detection. Local telemetry, endpoint configuration, identity architecture, and incident history are required to determine actual organizational risk and coverage.
CorKLOG
CorKLOG is a keylogger known to be leveraged by Mustang Panda and was first observed utilized in 2024. CorKLOG is delivered through a RAR archive (e.g., src.rar), which contains two files: an executable (lcommute.exe) and the CorKLOG DLL (mscorsvc.dll). CorKLOG has established persistence on the system by creating services or with scheduled tasks.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1553.002 | Code Signing Sub-technique | CorKLOG has used legitimate signed binaries such as lcommute.exe for follow-on execution of malicious DLLs through DLL side-loading.CitationZscaler PAKLOG CorkLog SplatCloak Splatdropper April 2025 |
| Enterprise | T1056.001 | Keylogging Sub-technique | CorKLOG has captured keystrokes.CitationZscaler PAKLOG CorkLog SplatCloak Splatdropper April 2025 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | CorKLOG has decoded XOR encrypted strings.CitationZscaler PAKLOG CorkLog SplatCloak Splatdropper April 2025 |
| Enterprise | T1543.003 | Windows Service Sub-technique | CorKLOG has created a service to establish persistence.CitationZscaler PAKLOG CorkLog SplatCloak Splatdropper April 2025 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | |
| Enterprise | T1574.001 | DLL Sub-technique | CorKLOG has leveraged legitimate binaries to conduct DLL side-loading.CitationZscaler PAKLOG CorkLog SplatCloak Splatdropper April 2025 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | CorKLOG has achieved persistence through the creation of a scheduled task named TableInputServices by using the command `schtasks /create /tn TabletlnputServices /tr /sc minute /mo 10 /f`.CitationZscaler PAKLOG CorkLog SplatCloak Splatdropper April 2025 |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | CorKLOG has stored the captured data in an encrypted file using a 48-character RC4 key.CitationZscaler PAKLOG CorkLog SplatCloak Splatdropper April 2025 |
Groups, software, and campaigns
G0129: Mustang Panda
Mustang Panda is a China-based cyber espionage threat actor that has been conducting operations since at least 2012. Mustang Panda has been known to use tailored phishing lures and decoy documents to deliver malicious payloads. Mustang Panda has targeted government, diplomatic, and non-governmental organizations, including think tanks, religious institutions, and research entities, across the United States, Europe, and Asia, with notable activity in Russia, Mongolia, Myanmar, Pakistan, and Vietnam. [1][2][3][4][5][6][7][8][9][10][11][12][13]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 2996c8e18373… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Zscaler PAKLOG CorkLog SplatCloak Splatdropper April 2025
Sudeep Singh. (2025, April 16). Latest Mustang Panda Arsenal: PAKLOG, CorKLOG, and SplatCloak | P2. Retrieved September 12, 2025.
Open source URL -
[2]
mitre-attack S1235Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.