Mustang Panda, a known threat actor group, has expanded its malware arsenal with several sophisticated tools targeting Windows environments. The new additions include two keyloggers, PAKLOG and CorKLOG, and an Endpoint Detection and Response (EDR) evasion driver named SplatCloak. PAKLOG captures keystrokes and clipboard data, employing a custom encoding scheme to obfuscate the stolen information, complicating detection and analysis. CorKLOG also captures keystrokes but encrypts the data using the RC4 algorithm and establishes persistence on infected systems through Windows services or scheduled tasks, ensuring long-term access. SplatCloak is a kernel-mode driver designed to disable notification callbacks used by security products such as Windows Defender and Kaspersky, effectively evading detection. It uses advanced obfuscation techniques including control flow flattening and mixed boolean arithmetic to hinder reverse engineering efforts. Alongside these tools, Mustang Panda continues to use updated versions of ToneShell, a backdoor that communicates with its command and control (C2) infrastructure via a modified FakeTLS protocol, enhancing stealth and resilience. The client identifier storage method has also been altered, likely to evade signature-based detection. StarProxy, a newly observed tool, facilitates lateral movement within compromised networks by proxying attacker traffic through the FakeTLS protocol, enabling stealthy command relay and data exfiltration. Collectively, these tools demonstrate Mustang Panda's focus on stealth, persistence, and network maneuverability, indicating a mature and evolving threat capable of targeted espionage and data theft.

For European organizations, the deployment of Mustang Panda's updated toolkit poses significant risks. The keyloggers (PAKLOG and CorKLOG) threaten confidentiality by capturing sensitive credentials, intellectual property, and personal data. The EDR evasion capabilities of SplatCloak reduce the effectiveness of native and third-party security solutions, increasing the likelihood of prolonged undetected intrusions. ToneShell's backdoor and StarProxy's lateral movement capabilities enable attackers to maintain persistent access and move laterally within networks, potentially compromising multiple systems and critical infrastructure. This can lead to data breaches, espionage, operational disruption, and reputational damage. Given the sophistication of these tools and their focus on stealth, detection and remediation efforts may be delayed, exacerbating the impact. European organizations in sectors such as government, defense, critical infrastructure, finance, and technology are particularly at risk due to the strategic value of their data and systems.

European organizations should implement targeted mitigations beyond generic advice. First, deploy advanced endpoint detection solutions capable of identifying kernel-level manipulations and obfuscated code patterns, focusing on anomalies in driver behavior and service creation. Regularly audit scheduled tasks and Windows services for unauthorized persistence mechanisms. Network monitoring should include detection of FakeTLS protocol anomalies and unusual proxy traffic indicative of StarProxy activity. Employ threat hunting to search for indicators of Mustang Panda tools, even if specific IOCs are not publicly available. Enforce strict least privilege policies to limit lateral movement opportunities and segment networks to contain potential intrusions. Regularly update and harden EDR and antivirus solutions, ensuring they can detect or block obfuscation techniques like control flow flattening. Conduct user awareness training emphasizing phishing and social engineering risks, as initial infection vectors often rely on these methods. Finally, collaborate with national cybersecurity centers and share threat intelligence to stay informed about Mustang Panda activity and emerging detection techniques.