Intel Name: Latest mustang panda arsenal: paklog, corklog, and splatcloak | p2
Date of Scan: April 17, 2025
Impact: High
Summary: Mustang Panda continues to develop custom tools for targeted attacks. They use PAKLOG and CorKLOG keyloggers—PAKLOG obfuscates data with custom encoding, while CorKLOG encrypts logs using a 48-character RC4 key. Persistence is achieved via services and scheduled tasks. The group also deploys SplatCloak, a tool that disables security callbacks and uses heavy code obfuscation to evade analysis.
