Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S1237: CANONSTAGER

CANONSTAGER is a loader known to be leveraged by Mustang Panda and was first observed utilized in 2025. Mustang Panda utilizes DLL side-loading to execute within the victim environment prior to delivering a follow-on malicious encrypted payload. CANONSTAGER leverages Thread Local Storage (TLS) and Native Windows APIs within the victim environment to elude detections. CANONSTAGER also hides its code utilizing window procedures and message queues.[1]

EnterpriseS1237MalwareObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

CANONSTAGER matters because it is a Windows loader, associated in ATT&CK with Mustang Panda, designed to get an initial malicious component running quietly before delivering an encrypted follow-on payload. Its use of DLL side-loading, Native Windows APIs, Thread Local Storage callbacks, dynamic API resolution, and hidden-window style behavior means simple file-name or signature-only controls may miss important execution evidence.

Executive priority

Prioritize CANONSTAGER as a validation case for Windows endpoint resilience and incident readiness, especially where the organization has diplomatic, government, NGO, research, or similar exposure reflected in the related Mustang Panda context. Leaders should ask whether security teams can prove visibility into suspicious DLL loading, unusual Windows API-driven execution, hidden process/window behavior, and loader-to-payload handoff activity. This is also useful for audit and risk discussions because it tests whether controls detect stealthy execution behavior rather than only known malware names.

Technical view

SOC and IR teams should treat this as a Windows loader behavior cluster, not just a malware label. ATT&CK relationships point to DLL side-loading, Native API usage, Dynamic API Resolution, Thread Local Storage, hidden windows, and legitimate-looking resource names or locations. Validation should focus on whether endpoint telemetry can reconstruct process ancestry, module/DLL loads, PE characteristics such as TLS callbacks, suspicious API resolution patterns, and execution from locations or names that imitate legitimate resources. Because ATT&CK provides no official detection text for CANONSTAGER, detections should be behavior-led and tested against local baselines for legitimate software updaters, administrative tooling, and applications that load DLLs normally.

Likely telemetry

  • Windows endpoint process creation and parent-child process lineage
  • DLL/module load events, including path, signer, hash, and loading process
  • File creation and modification events for executables, DLLs, and resources placed in legitimate-looking locations
  • PE metadata or malware-analysis output indicating Thread Local Storage callbacks
  • EDR telemetry for Native Windows API usage, memory/process activity, and dynamic API resolution indicators where available

Detection direction

  • Validate coverage for DLL side-loading patterns, especially trusted or legitimate executables loading unexpected DLLs from non-standard or user-writable paths.
  • Hunt for executable or DLL names and locations that closely match legitimate resources, while tuning for common enterprise software that legitimately uses similar naming patterns.
  • Add analysis paths for PE files using TLS callbacks, because execution may occur before the expected entry point and can evade process-centric assumptions.
  • Correlate dynamic API resolution and Native API usage with suspicious process ancestry, module loads, and file placement rather than alerting on API behavior alone.
  • Review whether hidden-window or message-queue behavior is visible in current EDR/SOC tooling; if not, document the blind spot and rely on adjacent process, DLL, and file telemetry.

Mitigation priorities

  • Harden Windows application control and DLL search-order exposure where feasible, prioritizing high-risk user-writable directories and software that frequently side-loads libraries.
  • Reduce execution from untrusted paths through allowlisting, least privilege, and controlled software installation practices.
  • Improve endpoint prevention and monitoring for suspicious DLL loads, unexpected child processes, and abnormal module paths.
  • Ensure incident response playbooks include collection of loaded modules, PE metadata, process memory where appropriate, and related file artifacts for loader investigations.
  • Use vulnerability and configuration management to identify applications with unsafe DLL loading behavior, but validate findings against business-critical software before blocking.
Analyst notes and limits

The supplied ATT&CK object is sparse: no official detection guidance, no aliases, no labels, and no explicit tactics listed on the malware object. The strongest defensive value comes from its documented behavior and relationships to specific ATT&CK techniques. The Mustang Panda relationship supports prioritization and context, not a conclusion that the organization is targeted or compromised.

This take is based only on the provided ATT&CK/STIX fields, external reference metadata, and relationships. It does not include indicators of compromise, hashes, infrastructure, campaign details beyond the provided citation, or environment-specific prevalence. Local telemetry, asset criticality, and software baselines are required to determine detection coverage and risk.

Official MITRE ATT&CK definition

CANONSTAGER

CANONSTAGER is a loader known to be leveraged by Mustang Panda and was first observed utilized in 2025. Mustang Panda utilizes DLL side-loading to execute within the victim environment prior to delivering a follow-on malicious encrypted payload. CANONSTAGER leverages Thread Local Storage (TLS) and Native Windows APIs within the victim environment to elude detections. CANONSTAGER also hides its code utilizing window procedures and message queues.[1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

6 rows
Domain ID Name Relationship / procedure
Enterprise T1027.007 Dynamic API Resolution Sub-technique

CANONSTAGER has utilized custom API hashing to obfuscate the Windows APIs being used.CitationGoogle Threat Intelligence Group MUSTANG PANDA PLUGX August 2025
Enterprise T1055.005 Thread Local Storage Sub-technique

CANONSTAGER uses the Thread Local Storage (TLS) array data structure to store function addresses resolved by its custom API hashing algorithm. The function addresses are later called throughout the binary from offsets into the TLS array.CitationGoogle Threat Intelligence Group MUSTANG PANDA PLUGX August 2025
Enterprise T1036.005 Match Legitimate Resource Name or Location Sub-technique

CANONSTAGER has leveraged naming conventions of its malicious DLL to match legitimate services to include cnmpaui.dll which matches the legitimate executable cnmpaui.exe that is aligned with a Canon Ink Jet Printer Assistant Tool.CitationGoogle Threat Intelligence Group MUSTANG PANDA PLUGX August 2025
Enterprise T1574.001 DLL Sub-technique

CANONSTAGER has abused legitimate executables to side-load malicious DLLs.CitationGoogle Threat Intelligence Group MUSTANG PANDA PLUGX August 2025
Enterprise T1106 Native API

CANONSTAGER has leveraged Native API calls to execute code within the victim’s system including `GetCurrentDirectoryW`, `RegisterClassW` and `CreateWindowExW`.CitationGoogle Threat Intelligence Group MUSTANG PANDA PLUGX August 2025 CANONSTAGER also created a new overlapped window that initiates callback functions to a windows procedure that processes Windows messages until a designated message type of 0x0018 WM_SHOWWINDOW is observed which then initiates the deployment of a subsequent malicious payload.CitationGoogle Threat Intelligence Group MUSTANG PANDA PLUGX August 2025
Enterprise T1564.003 Hidden Window Sub-technique

CANONSTAGER has created a new window with a height and width of zero to remain hidden on the screen.CitationGoogle Threat Intelligence Group MUSTANG PANDA PLUGX August 2025
Associated objects

Groups, software, and campaigns

Group Enterprise

G0129: Mustang Panda

Mustang Panda is a China-based cyber espionage threat actor that has been conducting operations since at least 2012. Mustang Panda has been known to use tailored phishing lures and decoy documents to deliver malicious payloads. Mustang Panda has targeted government, diplomatic, and non-governmental organizations, including think tanks, religious institutions, and research entities, across the United States, Europe, and Asia, with notable activity in Russia, Mongolia, Myanmar, Pakistan, and Vietnam. [1][2][3][4][5][6][7][8][9][10][11][12][13]

Relationship explorer

All related ATT&CK context

uses · Group G0129: Mustang Panda Enterprise uses · Technique T1027.007: Dynamic API Resolution Enterprise uses · Technique T1055.005: Thread Local Storage Enterprise uses · Technique T1036.005: Match Legitimate Resource Name or Location Enterprise uses · Technique T1574.001: DLL Enterprise uses · Technique T1106: Native API Enterprise uses · Technique T1564.003: Hidden Window Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
f030853c1b3ac8b1...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle f030853c1b3a…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Google Threat Intelligence Group MUSTANG PANDA PLUGX August 2025

    Patrick Whitsell. (2025, August 25). Deception in Depth: PRC-Nexus Espionage Campaign Hijacks Web Traffic to Target Diplomats. Retrieved September 9, 2025.

    Open source URL
  2. [2]
    mitre-attack S1237
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use