{"description": "Enterprise techniques used by CANONSTAGER, ATT&CK software S1237 (v1.0)", "name": "CANONSTAGER (S1237)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1564", "showSubtechniques": true}, {"techniqueID": "T1564.003", "comment": "[CANONSTAGER](https://attack.mitre.org/software/S1237) has created a new window with a height and width of zero to remain hidden on the screen.(Citation: Google Threat Intelligence Group MUSTANG PANDA PLUGX August 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1574", "showSubtechniques": true}, {"techniqueID": "T1574.001", "comment": "[CANONSTAGER](https://attack.mitre.org/software/S1237) has abused legitimate executables to side-load malicious DLLs.(Citation: Google Threat Intelligence Group MUSTANG PANDA PLUGX August 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "[CANONSTAGER](https://attack.mitre.org/software/S1237) has leveraged naming conventions of its malicious DLL to match legitimate services to include cnmpaui.dll which matches the legitimate executable cnmpaui.exe that is aligned with a Canon Ink Jet Printer Assistant Tool.(Citation: Google Threat Intelligence Group MUSTANG PANDA PLUGX August 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1106", "comment": "[CANONSTAGER](https://attack.mitre.org/software/S1237) has leveraged Native API calls to execute code within the victim\u2019s system including `GetCurrentDirectoryW`, `RegisterClassW` and `CreateWindowExW`.(Citation: Google Threat Intelligence Group MUSTANG PANDA PLUGX August 2025) [CANONSTAGER](https://attack.mitre.org/software/S1237) also created a new overlapped window that initiates callback functions to a windows procedure that processes Windows messages until a designated message type of 0x0018 WM_SHOWWINDOW is observed which then initiates the deployment of a subsequent malicious payload.(Citation: Google Threat Intelligence Group MUSTANG PANDA PLUGX August 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.007", "comment": "[CANONSTAGER](https://attack.mitre.org/software/S1237) has utilized custom API hashing to obfuscate the Windows APIs being used.(Citation: Google Threat Intelligence Group MUSTANG PANDA PLUGX August 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1055", "showSubtechniques": true}, {"techniqueID": "T1055.005", "comment": "[CANONSTAGER](https://attack.mitre.org/software/S1237) uses the Thread Local Storage (TLS) array data structure to store function addresses resolved by its custom API hashing algorithm. The function addresses are later called throughout the binary from offsets into the TLS array.(Citation: Google Threat Intelligence Group MUSTANG PANDA PLUGX August 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by CANONSTAGER", "color": "#66b1ff"}]}