PUBLOAD
MITREOther
Unknown
Unknown
[PUBLOAD](https://attack.mitre.org/software/S1228) is a stager malware that has been observed installing itself in existing directories such as `C:\Users\Public` or creating new directories to stage the malware and its components.(Citation: 2022 November_TrendMicro_Earth Preta_Toneshell_Pubload) [PUBLOAD](https://attack.mitre.org/software/S1228) malware collects details of the victim host, establishes persistence, encrypts victim details using RC4 and communicates victim details back to C2. [PUBLOAD](https://attack.mitre.org/software/S1228) malware has previously been leveraged by China-affiliated actors identified as [Mustang Panda](https://attack.mitre.org/groups/G0129). [PUBLOAD](https://attack.mitre.org/software/S1228) is also known as “NoFive” and some public reporting identifies the loader component as [CLAIMLOADER](https://attack.mitre.org/software/S1236).(Citation: 2025_IBM_PUBLOAD_TONESHELL_HIUPAN_CLAIMLOADER_MUSTANG PANDA)
Tecniche Associate (35)
| ID | ATT&CK | Tattiche |
|---|---|---|
| T1001.003 | Protocol or Service Impersonation | - |
| T1007 | System Service Discovery | - |
| T1012 | Query Registry | - |
| T1016 | System Network Configuration Discovery | - |
| T1016.001 | Internet Connection Discovery | - |
| T1016.002 | Wi-Fi Discovery | - |
| T1027 | Obfuscated Files or Information | - |
| T1027.015 | Compression | - |
| T1033 | System Owner/User Discovery | - |
| T1036.005 | Match Legitimate Resource Name or Location | - |
| T1047 | Windows Management Instrumentation | - |
| T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol | - |
| T1049 | System Network Connections Discovery | - |
| T1053.005 | Scheduled Task | - |
| T1057 | Process Discovery | - |
Usato da Attori (1)
Metadata
| ID: | 146 |
| Created: | 13/01/2026 17:48 |
| Updated: | 06/03/2026 04:00 |