CorKLOG

Malware & Tools · CorKLOG

· MalwareS1235 · Zararlı Yazılım

Type

malware

Techniques

Used By

1 groups

Platforms

Windows

Description

CorKLOG is a keylogger known to be leveraged by Mustang Panda and was first observed utilized in 2024. CorKLOG is delivered through a RAR archive (e.g., src.rar), which contains two files: an executable (lcommute.exe) and the CorKLOG DLL (mscorsvc.dll). CorKLOG has established persistence on the system by creating services or with scheduled tasks.(Citation: Zscaler PAKLOG CorkLog SplatCloak Splatdropper April 2025)

Tactic Coverage

stealth (3)execution (2)persistence (2)privilege escalation (2)collection (2)credential access (1)defense impairment (1)

Used By (1 groups)

G0129Mustang PandaTA416, RedDelta

Techniques (8)

T1027.013Encrypted/Encoded File

stealth

T1053.005Scheduled Task

executionpersistence

T1056.001Keylogging

collectioncredential access

T1074.001Local Data Staging

collection

T1140Deobfuscate/Decode Files or Information

stealth

T1543.003Windows Service

persistence

References

https://attack.mitre.org/software/S1235 https://www.zscaler.com/blogs/security-research/latest-mustang-panda-arsenal-paklog-corklog-and-splatcloak-p2