{"description": "Enterprise techniques used by PUBLOAD, ATT&CK software S1228 (v1.1)", "name": "PUBLOAD (S1228)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[PUBLOAD](https://attack.mitre.org/software/S1228) has communicated via `curl` over HTTP to identify device IP data.(Citation: Trend Micro MUSTANG PANDA PUBLOAD HIUPAN SEPTEMBER 2024) [PUBLOAD](https://attack.mitre.org/software/S1228) has also utilized HTTP for a command-and-control protocol through HTTP POST.(Citation: CSIRT CTI MUSTANG PANDA PUBLOAD TONESHELL JAN 2024)(Citation: Lab52 MUSTANG PANDA PUBLOAD MAY 2023)(Citation: Palo Alto Networks, Unit 42) [PUBLOAD](https://attack.mitre.org/software/S1228) has also leveraged HTTPS for C2.(Citation: 2025_IBM_PUBLOAD_TONESHELL_HIUPAN_CLAIMLOADER_MUSTANG PANDA)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071.002", "comment": "[PUBLOAD](https://attack.mitre.org/software/S1228) has used `curl` for data exfiltration over FTP.(Citation: Trend Micro MUSTANG PANDA PUBLOAD HIUPAN SEPTEMBER 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1560", "showSubtechniques": true}, {"techniqueID": "T1560.001", "comment": "[PUBLOAD](https://attack.mitre.org/software/S1228) has used utilities such as `WinRAR` to archive data prior to exfiltration.(Citation: Trend Micro MUSTANG PANDA PUBLOAD HIUPAN SEPTEMBER 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[PUBLOAD](https://attack.mitre.org/software/S1228) has added Registry Run keys to achieve persistence using `HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run`. (Citation: Cisco Talos MUSTANG PANDA PLUGX PUBLOAD MAY 2022)(Citation: CSIRT CTI MUSTANG PANDA PUBLOAD TONESHELL JAN 2024)(Citation: Lab52 MUSTANG PANDA PUBLOAD MAY 2023)(Citation: Trend Micro MUSTANG PANDA PUBLOAD HIUPAN SEPTEMBER 2024)(Citation: 2022 November_TrendMicro_Earth Preta_Toneshell_Pubload)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[PUBLOAD](https://attack.mitre.org/software/S1228) has used several commands executed in sequence via `cmd`. (Citation: Trend Micro MUSTANG PANDA PUBLOAD HIUPAN SEPTEMBER 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1001", "showSubtechniques": true}, {"techniqueID": "T1001.003", "comment": "[PUBLOAD](https://attack.mitre.org/software/S1228) has modified HTTP POST requests to resemble legitimate communications.(Citation: Lab52 MUSTANG PANDA PUBLOAD MAY 2023)(Citation: Palo Alto Networks, Unit 42)  PUBLOAD used FakeTLS headers in network packets to impersonate various versions of TLS protocols to blend in with legitimate network traffic.  [PUBLOAD](https://attack.mitre.org/software/S1228) has utilized FakeTLS headers with the bytes 17 03 03.(Citation: 2025_IBM_PUBLOAD_TONESHELL_HIUPAN_CLAIMLOADER_MUSTANG PANDA)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1622", "comment": "[PUBLOAD](https://attack.mitre.org/software/S1228) has embedded debug strings with messages to distract analysts.(Citation: Cisco Talos MUSTANG PANDA PLUGX PUBLOAD MAY 2022)(Citation: 2022 November_TrendMicro_Earth Preta_Toneshell_Pubload)  [PUBLOAD](https://attack.mitre.org/software/S1228) has leveraged `OutputDebugStringW` and `OutputDebugStringA` functions.(Citation: 2022 November_TrendMicro_Earth Preta_Toneshell_Pubload)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1140", "comment": "[PUBLOAD](https://attack.mitre.org/software/S1228) has decoded its payload prior to execution.(Citation: Cisco Talos MUSTANG PANDA PLUGX PUBLOAD MAY 2022)(Citation: Lab52 MUSTANG PANDA PUBLOAD MAY 2023)(Citation: 2025_IBM_PUBLOAD_TONESHELL_HIUPAN_CLAIMLOADER_MUSTANG PANDA)(Citation: 2022 November_TrendMicro_Earth Preta_Toneshell_Pubload)(Citation: Palo Alto Networks, Unit 42)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.001", "comment": "[PUBLOAD](https://attack.mitre.org/software/S1228) has used RC4 encryption in C2 communications.(Citation: Cisco Talos MUSTANG PANDA PLUGX PUBLOAD MAY 2022)(Citation: CSIRT CTI MUSTANG PANDA PUBLOAD TONESHELL JAN 2024)(Citation: 2022 November_TrendMicro_Earth Preta_Toneshell_Pubload)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1480", "showSubtechniques": true}, {"techniqueID": "T1480.001", "comment": "[PUBLOAD](https://attack.mitre.org/software/S1228) has utilized environmental keying in the payload to include the victim volume serial number, computer name, username, and machine\u2019s tick count.(Citation: 2025_IBM_PUBLOAD_TONESHELL_HIUPAN_CLAIMLOADER_MUSTANG PANDA)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1048", "showSubtechniques": true}, {"techniqueID": "T1048.003", "comment": "[PUBLOAD](https://attack.mitre.org/software/S1228) has leveraged `curl` for data exfiltration over FTP by uploading RAR archives containing targeted files (.doc, .docx, .xls, .xlsx, .pdf, .ppt, .pptx) to an adversary-owned FTP site.(Citation: Trend Micro MUSTANG PANDA PUBLOAD HIUPAN SEPTEMBER 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1574", "showSubtechniques": true}, {"techniqueID": "T1574.001", "comment": "[PUBLOAD](https://attack.mitre.org/software/S1228) has abused legitimate executables to side-load malicious DLLs.(Citation: Cisco Talos MUSTANG PANDA PLUGX PUBLOAD MAY 2022)(Citation: CSIRT CTI MUSTANG PANDA PUBLOAD TONESHELL JAN 2024)(Citation: Lab52 MUSTANG PANDA PUBLOAD MAY 2023)(Citation: 2025_IBM_PUBLOAD_TONESHELL_HIUPAN_CLAIMLOADER_MUSTANG PANDA)(Citation: 2022 November_TrendMicro_Earth Preta_Toneshell_Pubload)(Citation: Palo Alto Networks, Unit 42)(Citation: PaloAlto MUSTANG PANDA PUBLOAD MARCH 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[PUBLOAD](https://attack.mitre.org/software/S1228) has acted as a stager that can download the next-stage payload from its C2 server.(Citation: Lab52 MUSTANG PANDA PUBLOAD MAY 2023)(Citation: IBM MUSTANG PANDA PUBLOAD CLAIMLOADER JUNE 2025)(Citation: 2025_IBM_PUBLOAD_TONESHELL_HIUPAN_CLAIMLOADER_MUSTANG PANDA)(Citation: 2022 November_TrendMicro_Earth Preta_Toneshell_Pubload)(Citation: Palo Alto Networks, Unit 42) [PUBLOAD](https://attack.mitre.org/software/S1228) has also delivered FDMTP as a secondary control tool and PTSOCKET for exfiltration to some infected systems.(Citation: Trend Micro MUSTANG PANDA PUBLOAD HIUPAN SEPTEMBER 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1680", "comment": "PUBLOAD has leveraged `wmic logicaldisk get` to map local network drives.(Citation: Trend Micro MUSTANG PANDA PUBLOAD HIUPAN SEPTEMBER 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "[PUBLOAD](https://attack.mitre.org/software/S1228) has renamed malicious files to mimic legitimate file names such as adobe_wf.exe.(Citation: 2022 November_TrendMicro_Earth Preta_Toneshell_Pubload)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1106", "comment": "[PUBLOAD](https://attack.mitre.org/software/S1228) has used various Windows API calls during execution, when establishing persistence and defense evasion.(Citation: Lab52 MUSTANG PANDA PUBLOAD MAY 2023)(Citation: 2025_IBM_PUBLOAD_TONESHELL_HIUPAN_CLAIMLOADER_MUSTANG PANDA) [PUBLOAD](https://attack.mitre.org/software/S1228) stager leveraged Windows API functions with callback including `GrayStringW`, `EnumDateFormatsA`, and `LineDDA` to bypass anti-virus monitoring. (Citation: 2022 November_TrendMicro_Earth Preta_Toneshell_Pubload) [PUBLOAD](https://attack.mitre.org/software/S1228) has also utilized other native windows API functions with callback functions such as `EnumChildWindows` and `EnumSystemLanguageGroupsA`. (Citation: Palo Alto Networks, Unit 42)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "comment": "[PUBLOAD](https://attack.mitre.org/software/S1228) has obfuscated DLL names using the ror13AddHash32 algorithm.(Citation: Cisco Talos MUSTANG PANDA PLUGX PUBLOAD MAY 2022)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1027.015", "comment": "[PUBLOAD](https://attack.mitre.org/software/S1228) has been delivered as compressed files within ZIP files to victims.(Citation: Lab52 MUSTANG PANDA PUBLOAD MAY 2023)(Citation: Palo Alto Networks, Unit 42)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[PUBLOAD](https://attack.mitre.org/software/S1228) has used `tasklist` to gather running processes on victim host.(Citation: Trend Micro MUSTANG PANDA PUBLOAD HIUPAN SEPTEMBER 2024) [PUBLOAD](https://attack.mitre.org/software/S1228) has also leveraged the `OpenEventA` Windows API function to check whether the same process was already running.(Citation: 2022 November_TrendMicro_Earth Preta_Toneshell_Pubload) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1012", "comment": "[PUBLOAD](https://attack.mitre.org/software/S1228) has queried Registry values to identify software using `reg query`.(Citation: Trend Micro MUSTANG PANDA PUBLOAD HIUPAN SEPTEMBER 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1053", "showSubtechniques": true}, {"techniqueID": "T1053.005", "comment": "[PUBLOAD](https://attack.mitre.org/software/S1228) has created scheduled tasks to maintain persistence with the command `schtasks.exe /F /Create /TN Microsoft_Licensing /sc minute /MO 1 /TR C:\\\\Users\\\\Public\\\\Libraries\\...`(Citation: Cisco Talos MUSTANG PANDA PLUGX PUBLOAD MAY 2022)(Citation: Lab52 MUSTANG PANDA PUBLOAD MAY 2023)(Citation: 2022 November_TrendMicro_Earth Preta_Toneshell_Pubload)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1518", "comment": "[PUBLOAD](https://attack.mitre.org/software/S1228) has used several commands executed in sequence via `cmd` in a short interval to gather software versions including querying Registry keys.(Citation: Trend Micro MUSTANG PANDA PUBLOAD HIUPAN SEPTEMBER 2024)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1518.001", "comment": "[PUBLOAD](https://attack.mitre.org/software/S1228) has identified AV products on an infected host using the following command: `WMIC  /Node:localhost /Namespace:\\\\root\\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List`.(Citation: Trend Micro MUSTANG PANDA PUBLOAD HIUPAN SEPTEMBER 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1553", "showSubtechniques": true}, {"techniqueID": "T1553.002", "comment": "[PUBLOAD](https://attack.mitre.org/software/S1228) has used valid legitimate digital signatures and certificates to evade detection.(Citation: CSIRT CTI MUSTANG PANDA PUBLOAD TONESHELL JAN 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[PUBLOAD](https://attack.mitre.org/software/S1228) has collected and sent system information including volume serial number, computer name, and system uptime to designated C2.(Citation: Cisco Talos MUSTANG PANDA PLUGX PUBLOAD MAY 2022)(Citation: 2025_IBM_PUBLOAD_TONESHELL_HIUPAN_CLAIMLOADER_MUSTANG PANDA)  [PUBLOAD](https://attack.mitre.org/software/S1228) has also used several commands executed in sequence via `cmd` in a short interval to gather system information about the infected host including `systeminfo`.(Citation: Trend Micro MUSTANG PANDA PUBLOAD HIUPAN SEPTEMBER 2024) [PUBLOAD](https://attack.mitre.org/software/S1228) has decrypted shellcode that collects the computer name.(Citation: 2022 November_TrendMicro_Earth Preta_Toneshell_Pubload)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1614", "showSubtechniques": true}, {"techniqueID": "T1614.001", "comment": "[PUBLOAD](https://attack.mitre.org/software/S1228) has checked supported languages on the compromised system.(Citation: CSIRT CTI MUSTANG PANDA PUBLOAD TONESHELL JAN 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1016", "comment": "[PUBLOAD](https://attack.mitre.org/software/S1228) has obtained information about local networks through the `ipconfig /all` command.(Citation: Trend Micro MUSTANG PANDA PUBLOAD HIUPAN SEPTEMBER 2024)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1016.001", "comment": "[PUBLOAD](https://attack.mitre.org/software/S1228) has identified internet connectivity details through commands such as `tracert -h 5 -4 google.com` and `curl http://myip.ipip.net`.(Citation: Trend Micro MUSTANG PANDA PUBLOAD HIUPAN SEPTEMBER 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1016.002", "comment": "[PUBLOAD](https://attack.mitre.org/software/S1228) has collected information on Wi-Fi networks from victim hosts leveraging `netsh wlan show profiles`, `netsh wlan show interface`, and `netsh wlan show`. (Citation: Trend Micro MUSTANG PANDA PUBLOAD HIUPAN SEPTEMBER 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1049", "comment": "[PUBLOAD](https://attack.mitre.org/software/S1228) has used several commands executed in sequence via `cmd` in a short interval to gather information on network connections.(Citation: Trend Micro MUSTANG PANDA PUBLOAD HIUPAN SEPTEMBER 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "[PUBLOAD](https://attack.mitre.org/software/S1228) has obtained the username from an infected host.(Citation: Cisco Talos MUSTANG PANDA PLUGX PUBLOAD MAY 2022)(Citation: CSIRT CTI MUSTANG PANDA PUBLOAD TONESHELL JAN 2024)(Citation: 2025_IBM_PUBLOAD_TONESHELL_HIUPAN_CLAIMLOADER_MUSTANG PANDA)(Citation: 2022 November_TrendMicro_Earth Preta_Toneshell_Pubload)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1007", "comment": "[PUBLOAD](https://attack.mitre.org/software/S1228) has leveraged `tasklist` to gather running services on victim host.(Citation: Trend Micro MUSTANG PANDA PUBLOAD HIUPAN SEPTEMBER 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1124", "comment": "[PUBLOAD](https://attack.mitre.org/software/S1228) has collected the machine\u2019s tick count through the use of `GetTickCount`.(Citation: 2025_IBM_PUBLOAD_TONESHELL_HIUPAN_CLAIMLOADER_MUSTANG PANDA)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1205", "comment": "[PUBLOAD](https://attack.mitre.org/software/S1228) has utilized a magic value in C2 communications and only executes in memory when response packets match specific values of 17 03 03.(Citation: CSIRT CTI MUSTANG PANDA PUBLOAD TONESHELL JAN 2024)(Citation: IBM MUSTANG PANDA PUBLOAD CLAIMLOADER JUNE 2025)(Citation: 2025_IBM_PUBLOAD_TONESHELL_HIUPAN_CLAIMLOADER_MUSTANG PANDA)(Citation: 2022 November_TrendMicro_Earth Preta_Toneshell_Pubload)(Citation: PaloAlto MUSTANG PANDA PUBLOAD MARCH 2024)  [PUBLOAD](https://attack.mitre.org/software/S1228) has also used magic bytes consisting of 46 77 4d.(Citation: CSIRT CTI MUSTANG PANDA PUBLOAD TONESHELL JAN 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1047", "comment": "[PUBLOAD](https://attack.mitre.org/software/S1228) has used `wmic` to gather information from the victim device.(Citation: Trend Micro MUSTANG PANDA PUBLOAD HIUPAN SEPTEMBER 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by PUBLOAD", "color": "#66b1ff"}]}