{"description": "Enterprise techniques used by CLAIMLOADER, ATT&CK software S1236 (v1.0)", "name": "CLAIMLOADER (S1236)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[CLAIMLOADER](https://attack.mitre.org/software/S1236) has added Registry Run keys to achieve persistence using `HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run`.(Citation: IBM MUSTANG PANDA PUBLOAD CLAIMLOADER JUNE 2025)(Citation: 2025_IBM_PUBLOAD_TONESHELL_HIUPAN_CLAIMLOADER_MUSTANG PANDA)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1140", "comment": "[CLAIMLOADER](https://attack.mitre.org/software/S1236) has decoded its payload prior to execution.(Citation: IBM MUSTANG PANDA PUBLOAD CLAIMLOADER JUNE 2025)(Citation: 2025_IBM_PUBLOAD_TONESHELL_HIUPAN_CLAIMLOADER_MUSTANG PANDA)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1480", "showSubtechniques": true}, {"techniqueID": "T1480.002", "comment": "[CLAIMLOADER](https://attack.mitre.org/software/S1236) has created hardcoded mutex to ensure only a single instance of the malware is running.(Citation: IBM MUSTANG PANDA PUBLOAD CLAIMLOADER JUNE 2025)(Citation: 2025_IBM_PUBLOAD_TONESHELL_HIUPAN_CLAIMLOADER_MUSTANG PANDA)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1564", "showSubtechniques": true}, {"techniqueID": "T1564.001", "comment": "[CLAIMLOADER](https://attack.mitre.org/software/S1236) has modified file attributes to remain hidden to a standard user.(Citation: 2025_IBM_PUBLOAD_TONESHELL_HIUPAN_CLAIMLOADER_MUSTANG PANDA)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1574", "showSubtechniques": true}, {"techniqueID": "T1574.001", "comment": "[CLAIMLOADER](https://attack.mitre.org/software/S1236) has used a legitimately signed executable to execute a malicious payload within a DLL file.(Citation: IBM MUSTANG PANDA PUBLOAD CLAIMLOADER JUNE 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1559", "showSubtechniques": true}, {"techniqueID": "T1559.001", "comment": "[CLAIMLOADER](https://attack.mitre.org/software/S1236) has leveraged Component Object Model (COM) objects to create a scheduled task using `ITaskService` interface.(Citation: 2025_IBM_PUBLOAD_TONESHELL_HIUPAN_CLAIMLOADER_MUSTANG PANDA)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "[CLAIMLOADER](https://attack.mitre.org/software/S1236) has imitated legitimate software directories through the creation and storage of the EXE and DLL in `C:\\ProgramData\\` and the use of legitimate looking names of software.(Citation: 2025_IBM_PUBLOAD_TONESHELL_HIUPAN_CLAIMLOADER_MUSTANG PANDA)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1106", "comment": "[CLAIMLOADER](https://attack.mitre.org/software/S1236) has used various Windows API calls during execution, when establishing persistence and defense evasion.(Citation: IBM MUSTANG PANDA PUBLOAD CLAIMLOADER JUNE 2025)(Citation: 2025_IBM_PUBLOAD_TONESHELL_HIUPAN_CLAIMLOADER_MUSTANG PANDA)  [CLAIMLOADER](https://attack.mitre.org/software/S1236) has also leveraged the legitimate API functions to run its shellcode through the callback function, including `GetDC()` and `EnumFontsW()`.(Citation: IBM MUSTANG PANDA PUBLOAD CLAIMLOADER JUNE 2025)  [CLAIMLOADER](https://attack.mitre.org/software/S1236) established persistence by utilizing the API `SHSetValue()`.(Citation: IBM MUSTANG PANDA PUBLOAD CLAIMLOADER JUNE 2025) [CLAIMLOADER](https://attack.mitre.org/software/S1236) has utilized APIs with callback functions such as `EnumpropsExW`, `EnumSystemLanguageGroupsA`, and `EnumCalendarInfoExW`.(Citation: 2025_IBM_PUBLOAD_TONESHELL_HIUPAN_CLAIMLOADER_MUSTANG PANDA)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.007", "comment": "[CLAIMLOADER](https://attack.mitre.org/software/S1236) has utilized XOR-encrypted API names and native APIs of `LdrLoadDll()` and `LderGetProcedureAddress()` to resolve imports dynamically.(Citation: IBM MUSTANG PANDA PUBLOAD CLAIMLOADER JUNE 2025)(Citation: 2025_IBM_PUBLOAD_TONESHELL_HIUPAN_CLAIMLOADER_MUSTANG PANDA)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1053", "showSubtechniques": true}, {"techniqueID": "T1053.005", "comment": "[CLAIMLOADER](https://attack.mitre.org/software/S1236) has created scheduled tasks that execute the loader every five(5) minutes using `schtasks /F /Create /TN \\\"\\\" /SC minute /MO 5 /TR\n\\\"C:\\\\ProgramData\\\\ \\`.(Citation: 2025_IBM_PUBLOAD_TONESHELL_HIUPAN_CLAIMLOADER_MUSTANG PANDA)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1204", "showSubtechniques": true}, {"techniqueID": "T1204.002", "comment": "[CLAIMLOADER](https://attack.mitre.org/software/S1236) has used tailored decoy documents as part of the installation routine to entice users to open attachments.(Citation: 2025_IBM_PUBLOAD_TONESHELL_HIUPAN_CLAIMLOADER_MUSTANG PANDA)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by CLAIMLOADER", "color": "#66b1ff"}]}