PUBLOAD

Malware & Tools · PUBLOAD

· MalwareS1228 · Zararlı Yazılım

Type

malware

Techniques

Used By

1 groups

Platforms

Windows

Description

PUBLOAD is a stager malware that has been observed installing itself in existing directories such as `C:\Users\Public` or creating new directories to stage the malware and its components.(Citation: 2022 November_TrendMicro_Earth Preta_Toneshell_Pubload) PUBLOAD malware collects details of the victim host, establishes persistence, encrypts victim details using RC4 and communicates victim details back to C2. PUBLOAD malware has previously been leveraged by China-affiliated actors identified as Mustang Panda. PUBLOAD is also known as “NoFive” and some public reporting identifies the loader component as CLAIMLOADER.(Citation: 2025_IBM_PUBLOAD_TONESHELL_HIUPAN_CLAIMLOADER_MUSTANG PANDA)

Tactic Coverage

discovery (15)stealth (8)command and control (6)execution (5)persistence (3)privilege escalation (2)exfiltration (1)defense impairment (1)collection (1)

Used By (1 groups)

G0129Mustang PandaTA416, RedDelta

Techniques (35)

T1001.003Protocol or Service Impersonation

command and control

T1007System Service Discovery

discovery

T1012Query Registry

discovery

T1016System Network Configuration Discovery

discovery

T1016.001Internet Connection Discovery

discovery

T1016.002Wi-Fi Discovery

discovery

T1027Obfuscated Files or Information

References

https://attack.mitre.org/software/S1228 https://www.ibm.com/think/x-force/hive0154-targeting-us-philippines-pakistan-taiwan https://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html

T1027.015Compression

stealth

T1033System Owner/User Discovery

discovery

T1036.005Match Legitimate Resource Name or Location

stealth

T1047Windows Management Instrumentation

execution

T1048.003Exfiltration Over Unencrypted Non-C2 Protocol

exfiltration

T1049System Network Connections Discovery

discovery

T1053.005Scheduled Task

executionpersistence

T1057Process Discovery

discovery

T1059.003Windows Command Shell

execution

T1071.001Web Protocols

command and control

T1071.002File Transfer Protocols

command and control

T1082System Information Discovery

discovery

T1105Ingress Tool Transfer

command and control

T1106Native API

execution

T1124System Time Discovery

discovery

T1140Deobfuscate/Decode Files or Information

stealth

T1205Traffic Signaling

stealthpersistence

T1480.001Environmental Keying

stealth

T1518Software Discovery

discovery

T1518.001Security Software Discovery

discovery

T1547.001Registry Run Keys / Startup Folder

persistenceprivilege escalation

T1553.002Code Signing

defense impairment

T1560.001Archive via Utility

collection

T1573.001Symmetric Cryptography

command and control

T1574.001DLL

stealthexecution

T1614.001System Language Discovery

discovery

T1622Debugger Evasion

stealthdiscovery

T1680Local Storage Discovery

discovery