Latest Mustang Panda Arsenal: Toneshell, StarProxy, PAKLOG, CorKLOG, and SplatCloak

Description

Mustang Panda, a threat actor group, has developed new tools including two keyloggers (PAKLOG and CorKLOG) and an EDR evasion driver (SplatCloak). PAKLOG monitors keystrokes and clipboard data, using a custom encoding scheme. CorKLOG captures keystrokes, encrypts data with RC4, and establishes persistence through services or scheduled tasks. SplatCloak disables kernel-level notification callbacks for Windows Defender and Kaspersky drivers, employing obfuscation techniques like control flow flattening and mixed boolean arithmetic. Along with those tools, the group has been observed using updated versions of ToneShell and a new tool called StarProxy. ToneShell, a backdoor, now features changes in its FakeTLS C2 communication protocol and client identifier storage methods. StarProxy, a lateral movement tool, uses the FakeTLS protocol to proxy traffic and facilitate attacker communications.