S1238: STATICPLUGIN
STATICPLUGIN is a downloader known to be leveraged by Mustang Panda and was first observed utilized in 2025. STATICPLUGIN has utilized a valid certificate in order to bypass endpoint security protections. STATICPLUGIN masqueraded as legitimate software installer by using a custom TForm. STATICPLUGIN has been leveraged to deploy a loader that facilitates follow on malware.[1]
Analyst context for executives and security teams
STATICPLUGIN matters because it is a Windows downloader described by ATT&CK as using trust and deception rather than obvious exploit behavior: valid code signing, installer-like presentation, and masquerading to help bypass endpoint scrutiny and deliver a follow-on loader. For leaders, the practical issue is whether the organization can distinguish a genuinely trusted installer from a signed but suspicious downloader before it enables additional malware.
Executive priority
Prioritize this as a control-validation and response-readiness issue, not just a malware name. Ask whether endpoint, email/web, certificate reputation, and SOC workflows treat valid signatures as one signal among many, whether incident responders can quickly trace a user-opened installer to downloaded follow-on payloads, and whether audit evidence shows monitoring for signed malware, masqueraded files, and Windows COM-related execution paths.
Technical view
ATT&CK lists STATICPLUGIN as Windows malware with no standalone detection guidance, but its relationships point defenders toward validation around Malicious File execution, masquerading, code signing abuse, legitimate-looking names or locations, and COM-based execution. SOC teams should test whether telemetry links the initial user-executed file or installer-like binary to file writes, network retrieval activity, certificate metadata, child processes, COM activity, and any loader or follow-on malware deployment. The Mustang Panda relationship provides threat-intelligence context, but local detection should be behavior-led rather than assuming attribution.
Likely telemetry
- Windows endpoint process creation and command-line events for installer-like executables
- File creation, modification, and execution metadata including paths, names, extensions, icons, PE headers, and file-type mismatches
- Code-signing and certificate metadata, including signer, validity, trust chain, and prevalence in the environment
- Endpoint security allow/block/quarantine logs where valid signatures may influence trust decisions
- Network egress, proxy, DNS, and download telemetry associated with downloader behavior
Detection direction
- Do not treat a valid certificate as sufficient trust; correlate signing status with file origin, prevalence, publisher reputation, execution path, and post-execution behavior.
- Hunt for installer-like binaries that create or execute unexpected follow-on files, especially when file type, extension, icon, resource name, or path appears designed to look legitimate.
- Tune detections for signed downloaders that perform unusual network retrieval, write executable content, or spawn loaders shortly after user execution.
- Validate coverage for Windows COM execution patterns where a suspicious process invokes COM or uses COM-linked binaries during local execution.
- Use the related techniques as analytic anchors: malicious file execution, masquerading, code signing, matching legitimate resource names or locations, and COM execution.
Mitigation priorities
- Harden endpoint policy so signed code is still inspected for reputation, origin, behavior, and prevalence rather than automatically trusted.
- Improve user-execution controls for downloaded or emailed files, including attachment handling, web download inspection, and user awareness around installer lures.
- Maintain application control or allowlisting where feasible, with governance for trusted publishers and approved software distribution paths.
- Ensure incident response playbooks capture certificate details, file lineage, network destinations, child processes, and any follow-on loader artifacts.
- Review certificate and software inventory processes so unusual or newly observed signed binaries can be escalated quickly.
Analyst notes and limits
The object is recent in ATT&CK release 19.1 and has sparse official fields: no ATT&CK tactics are listed for the malware object and no official detection text is provided. The strongest defensive value comes from the official description and relationships: downloader behavior, valid certificate use, installer masquerading, follow-on loader deployment, and mapped techniques for masquerading, malicious file execution, code signing, and COM.
This take is limited to the supplied ATT&CK fields, external reference, and relationships. It does not establish active exploitation against any specific organization, does not prove current targeting, and does not guarantee detection coverage. Local environment telemetry, approved software baselines, certificate reputation data, and incident evidence are required to determine exposure and priority.
STATICPLUGIN
STATICPLUGIN is a downloader known to be leveraged by Mustang Panda and was first observed utilized in 2025. STATICPLUGIN has utilized a valid certificate in order to bypass endpoint security protections. STATICPLUGIN masqueraded as legitimate software installer by using a custom TForm. STATICPLUGIN has been leveraged to deploy a loader that facilitates follow on malware.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1553.002 | Code Signing Sub-technique | STATICPLUGIN has been signed with a valid Certificate Authority(CA) to circumvent endpoint defenses.CitationGoogle Threat Intelligence Group MUSTANG PANDA PLUGX August 2025 |
| Enterprise | T1036.008 | Masquerade File Type Sub-technique | STATICPLUGIN has masqueraded as a BMP file to hide its true MSI file extension.CitationGoogle Threat Intelligence Group MUSTANG PANDA PLUGX August 2025 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | STATICPLUGIN has leveraged naming conventions that match legitimate services to include AdobePlugins.exe.CitationGoogle Threat Intelligence Group MUSTANG PANDA PLUGX August 2025 |
| Enterprise | T1204.002 | Malicious File Sub-technique | STATICPLUGIN has required user execution to load subsequent malicious payloads.CitationGoogle Threat Intelligence Group MUSTANG PANDA PLUGX August 2025 |
| Enterprise | T1559.001 | Component Object Model Sub-technique | STATICPLUGIN has utilized Windows COM Installer Object to download an MSI package containing files masqueraded as a BMP file.CitationGoogle Threat Intelligence Group MUSTANG PANDA PLUGX August 2025 |
Groups, software, and campaigns
G0129: Mustang Panda
Mustang Panda is a China-based cyber espionage threat actor that has been conducting operations since at least 2012. Mustang Panda has been known to use tailored phishing lures and decoy documents to deliver malicious payloads. Mustang Panda has targeted government, diplomatic, and non-governmental organizations, including think tanks, religious institutions, and research entities, across the United States, Europe, and Asia, with notable activity in Russia, Mongolia, Myanmar, Pakistan, and Vietnam. [1][2][3][4][5][6][7][8][9][10][11][12][13]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | d4312a9b46e8… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Google Threat Intelligence Group MUSTANG PANDA PLUGX August 2025
Patrick Whitsell. (2025, August 25). Deception in Depth: PRC-Nexus Espionage Campaign Hijacks Web Traffic to Target Diplomats. Retrieved September 9, 2025.
Open source URL -
[2]
mitre-attack S1238Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.