Advanced Persistent Threat (APT) group Earth Preta (a.k.a. Mustang Panda) has been observed weaponizing the Microsoft Application Virtualization Injector (MAVInject.exe) to bypass security software and implant backdoors in government systems across Asia-Pacific regions.
The campaign, analyzed by Trend Micro’s Threat Hunting Team, combines legitimate software with sophisticated code injection to avoid detection.
MAVInject.exe, a signed Microsoft utility designed for application virtualization, has been repurposed by Earth Preta to inject malicious payloads into the waitfor.exe process—a legitimate Windows networking tool.
.png
)
While the Trend Micro’s Threat Hunting Team noted that this technique allows the group to evade ESET antivirus detection by masking malicious activity under trusted processes.
Key command-line abuse:-
MavInject.exe <PID> /INJECTRUNNING <PATH_TO_DLL> This command enables dynamic-link library (DLL) injection into running processes.
If ESET’s ekrn.exe or egui.exe processes are detected, Earth Preta’s malware triggers regsvr32.exe to sideload a malicious DLL (EACore.dll) via a legitimate Electronic Arts application (OriginLegacyCLI.exe).
Attack Chain and Payload Delivery
Initial access involves spear-phishing emails that deliver a malicious installer (IRSetup.exe), which drops files into %ProgramData%\session\.
.webp)
These include legitimate executables (Setup Factory installer), malicious components (EACore.dll, a modified TONESHELL backdoor), and a decoy PDF mimicking a Thai government anti-crime initiative.
%20and%20translated%20text%20(right)%20(Source%20-%20Trend%20Micro).webp){kind=spacer}
The malware checks for ESET processes using:-
c if (Process32First(hSnapshot, &pe)) { if (!strcmp(pe.szExeFile, "ekrn.exe") || !strcmp(pe.szExeFile, "egui.exe")) return 1; // ESET detected }
If detected, MAVInject injects code into waitfor.exe. Otherwise, it uses direct process injection via WriteProcessMemory and CreateRemoteThreadEx APIs.
The malware decrypts shellcode to connect to www.militarytc[.]com:443.
.webp)
It sends encrypted handshake packets containing victim ID (generated via CoCreateGuid), and hostname & encryption keys.
While the data Exfiltration Structure:-
| Offset | Size | Description |
|---|---|---|
| 0x0 | 3 | Magic bytes (17 03 03) |
| 0x5 | 256 | AES-256 encryption key |
| 0x105 | 16 | Victim GUID |
The malware employs multiple stealth and persistence mechanisms to evade detection and maintain control. It uses Setup Factory to drop payloads and establish persistence via registry keys.
.webp)
A structured exception handler dynamically switches injection methods if ESET is absent, enhancing adaptability.
.webp)
Additionally, it abuses legitimate processes like OriginLegacyCLI.exe to sideload malicious DLLs, mimicking trusted software behavior to avoid suspicion.
To mitigate threats from Earth Preta, organizations should monitor legitimate tools like MAVInject.exe and waitfor.exe for unusual activity, use hunting queries to detect suspicious executions, and disable unused services, such as removing MAVInject.exe if Microsoft App-V isn’t required.
Trend Micro attributes this campaign to Earth Preta with medium confidence, citing overlaps in TTPs, C&C infrastructure (militarytc[.]com), and the use of CoCreateGuid for victim identification.
Since 2022, the group has targeted over 200 entities, mainly government agencies in Taiwan, Vietnam, and Thailand.
Organizations must prioritize behavioral analytics and threat-hunting frameworks to counter such hybrid threats.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
