S1236: CLAIMLOADER
CLAIMLOADER is a malware variant that frequently accompanies legitimate executables that are used for DLL side-loading known to be leveraged by Mustang Panda and was first observed utilized in 2021.[1][2]
Analyst context for executives and security teams
CLAIMLOADER matters because MITRE describes it as Windows malware that commonly appears alongside legitimate executables used for DLL side-loading. For leaders, the practical risk is not just the malware name; it is the abuse of trusted-looking files, startup mechanisms, scheduled tasks, and Windows execution features that can make an intrusion look like normal software activity unless endpoint and file-system telemetry is strong.
Executive priority
Prioritize validation of Windows endpoint visibility, DLL side-loading detection, persistence monitoring, and user-driven malicious file execution controls. This object is linked by MITRE to Mustang Panda and to multiple stealth, execution, and persistence techniques, so it is useful for assessing whether SOC and IR teams can distinguish legitimate software behavior from suspicious companion DLLs, hidden files, Run key changes, scheduled tasks, COM activity, and dynamic API behavior. Use it as a control-coverage and audit-evidence scenario rather than as proof of current exposure.
Technical view
SOC and IR teams should treat CLAIMLOADER as a Windows malware coverage test focused on DLL side-loading and related persistence/evasion behaviors. Validate collection and correlation around legitimate executables loading unexpected DLLs, files placed in trusted-looking names or locations, hidden file attributes, scheduled task creation or modification, Registry Run key or Startup folder changes, COM-based execution, native API use, deobfuscation or decoding behavior, mutex creation patterns, and suspicious user-opened files. MITRE does not provide object-specific detection logic, so detections should be built from the related ATT&CK techniques and tuned against known-good enterprise software baselines.
Likely telemetry
- Windows endpoint process creation and parent-child process relationships
- Image load and DLL load telemetry, especially legitimate executables loading unusual DLLs from user-writable or unexpected paths
- File creation, rename, path, attribute, and hidden-file telemetry
- Windows Registry monitoring for Run keys and related startup persistence locations
- Scheduled task creation, modification, and execution logs
Detection direction
- Build detections around behavior clusters rather than the malware name alone: legitimate executable plus unexpected DLL load plus persistence or hidden-file activity is higher value than any single weak signal.
- Baseline legitimate DLL search paths and common enterprise software side-loading patterns to reduce false positives.
- Correlate scheduled task and Run key creation with new binaries or DLLs appearing in user-writable, temporary, download, or trusted-looking directories.
- Review alerts for files that match or approximate legitimate resource names or locations, especially when paired with unusual process ancestry.
- Account for blind spots: if image-load logging, Registry auditing, or scheduled task telemetry is missing, coverage for this malware’s related behaviors will be materially limited.
Mitigation priorities
- Harden Windows endpoint monitoring first: ensure EDR or native logging captures process, DLL load, Registry, scheduled task, and file attribute changes.
- Reduce user execution risk through attachment/download controls, least privilege, and user-awareness measures for suspicious files, consistent with the related malicious-file execution behavior.
- Restrict and monitor persistence locations such as Run keys, Startup folders, and scheduled tasks, with administrative change control where practical.
- Apply application control or allow-listing strategies for high-risk directories and unexpected DLL loading patterns where operationally feasible.
- Improve incident response readiness with playbooks for DLL side-loading investigations, including file provenance, companion executable analysis, persistence review, and host containment criteria.
Analyst notes and limits
The supplied ATT&CK object identifies CLAIMLOADER as a Windows malware variant associated with legitimate executables used for DLL side-loading and reports a relationship where Mustang Panda uses it. The strongest defensive value comes from the related techniques: Dynamic API Resolution, Match Legitimate Resource Name or Location, Scheduled Task, Native API, Deobfuscate/Decode Files or Information, Malicious File, Mutual Exclusion, Registry Run Keys / Startup Folder, COM, Hidden Files and Directories, and DLL abuse. Local baselines are essential because many of these behaviors can also occur in legitimate software administration and application behavior.
MITRE provides no official detection text for this object, no aliases, and no tactics listed directly on the malware object. The assessment is limited to the supplied STIX fields, external references, and relationships. It should not be read as evidence of active exploitation, confirmed customer exposure, guaranteed detectability, or attribution in any specific incident.
CLAIMLOADER
CLAIMLOADER is a malware variant that frequently accompanies legitimate executables that are used for DLL side-loading known to be leveraged by Mustang Panda and was first observed utilized in 2021.[1][2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1559.001 | Component Object Model Sub-technique | CLAIMLOADER has leveraged Component Object Model (COM) objects to create a scheduled task using `ITaskService` interface.Citation2025_IBM_PUBLOAD_TONESHELL_HIUPAN_CLAIMLOADER_MUSTANG PANDA |
| Enterprise | T1106 | Native API | CLAIMLOADER has used various Windows API calls during execution, when establishing persistence and defense evasion.CitationIBM MUSTANG PANDA PUBLOAD CLAIMLOADER JUNE 2025Citation2025_IBM_PUBLOAD_TONESHELL_HIUPAN_CLAIMLOADER_MUSTANG PANDA CLAIMLOADER has also leveraged the legitimate API functions to run its shellcode through the callback function, including `GetDC()` and `EnumFontsW()`.CitationIBM MUSTANG PANDA PUBLOAD CLAIMLOADER JUNE 2025 CLAIMLOADER established persistence by utilizing the API `SHSetValue()`.CitationIBM MUSTANG PANDA PUBLOAD CLAIMLOADER JUNE 2025 CLAIMLOADER has utilized APIs with callback functions such as `EnumpropsExW`, `EnumSystemLanguageGroupsA`, and `EnumCalendarInfoExW`.Citation2025_IBM_PUBLOAD_TONESHELL_HIUPAN_CLAIMLOADER_MUSTANG PANDA |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | CLAIMLOADER has added Registry Run keys to achieve persistence using `HKCU\Software\Microsoft\Windows\CurrentVersion\Run`.CitationIBM MUSTANG PANDA PUBLOAD CLAIMLOADER JUNE 2025Citation2025_IBM_PUBLOAD_TONESHELL_HIUPAN_CLAIMLOADER_MUSTANG PANDA |
| Enterprise | T1574.001 | DLL Sub-technique | CLAIMLOADER has used a legitimately signed executable to execute a malicious payload within a DLL file.CitationIBM MUSTANG PANDA PUBLOAD CLAIMLOADER JUNE 2025 |
| Enterprise | T1564.001 | Hidden Files and Directories Sub-technique | CLAIMLOADER has modified file attributes to remain hidden to a standard user.Citation2025_IBM_PUBLOAD_TONESHELL_HIUPAN_CLAIMLOADER_MUSTANG PANDA |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | CLAIMLOADER has imitated legitimate software directories through the creation and storage of the EXE and DLL in `C:\ProgramData\` and the use of legitimate looking names of software.Citation2025_IBM_PUBLOAD_TONESHELL_HIUPAN_CLAIMLOADER_MUSTANG PANDA |
| Enterprise | T1480.002 | Mutual Exclusion Sub-technique | CLAIMLOADER has created hardcoded mutex to ensure only a single instance of the malware is running.CitationIBM MUSTANG PANDA PUBLOAD CLAIMLOADER JUNE 2025Citation2025_IBM_PUBLOAD_TONESHELL_HIUPAN_CLAIMLOADER_MUSTANG PANDA |
| Enterprise | T1204.002 | Malicious File Sub-technique | CLAIMLOADER has used tailored decoy documents as part of the installation routine to entice users to open attachments.Citation2025_IBM_PUBLOAD_TONESHELL_HIUPAN_CLAIMLOADER_MUSTANG PANDA |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | CLAIMLOADER has created scheduled tasks that execute the loader every five(5) minutes using `schtasks /F /Create /TN \" |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | CLAIMLOADER has decoded its payload prior to execution.CitationIBM MUSTANG PANDA PUBLOAD CLAIMLOADER JUNE 2025Citation2025_IBM_PUBLOAD_TONESHELL_HIUPAN_CLAIMLOADER_MUSTANG PANDA |
| Enterprise | T1027.007 | Dynamic API Resolution Sub-technique | CLAIMLOADER has utilized XOR-encrypted API names and native APIs of `LdrLoadDll()` and `LderGetProcedureAddress()` to resolve imports dynamically.CitationIBM MUSTANG PANDA PUBLOAD CLAIMLOADER JUNE 2025Citation2025_IBM_PUBLOAD_TONESHELL_HIUPAN_CLAIMLOADER_MUSTANG PANDA |
Groups, software, and campaigns
G0129: Mustang Panda
Mustang Panda is a China-based cyber espionage threat actor that has been conducting operations since at least 2012. Mustang Panda has been known to use tailored phishing lures and decoy documents to deliver malicious payloads. Mustang Panda has targeted government, diplomatic, and non-governmental organizations, including think tanks, religious institutions, and research entities, across the United States, Europe, and Asia, with notable activity in Russia, Mongolia, Myanmar, Pakistan, and Vietnam. [1][2][3][4][5][6][7][8][9][10][11][12][13]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 290eaa8ca3bd… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
IBM MUSTANG PANDA PUBLOAD CLAIMLOADER JUNE 2025
Golo Muhr, Joshua Chung. (2025, June 23). Hive0154 aka Mustang Panda shifts focus on Tibetan community to deploy Pubload backdoor. Retrieved August 4, 2025.
Open source URL -
[2]
2025_IBM_PUBLOAD_TONESHELL_HIUPAN_CLAIMLOADER_MUSTANG PANDA
Golo Muhr, Joshua Chung. (2025, May 15). Hive0154 targeting US, Philippines, Pakistan and Taiwan in suspected espionage campaign. Retrieved August 4, 2025.
Open source URL -
[3]
mitre-attack S1236Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.