Security researchers have uncovered new malicious activities attributed to Mustang Panda, a China-sponsored espionage group known for targeting government entities, military organizations, and non-governmental organizations primarily in East Asia and Europe.
The threat actor has been observed utilizing weaponized RAR archives containing malicious DLLs alongside legitimate signed executables to deploy updated variants of ToneShell malware through DLL sideloading techniques.
The attack begins when victims extract and execute what appears to be legitimate software from RAR archives.
.png
)
These archives typically contain a legitimate, signed executable file paired with a malicious DLL file that gets sideloaded when the executable runs.
This technique effectively bypasses security controls by leveraging the trust established through digitally signed binaries while executing malicious code.
Mustang Panda targets have predominantly included government-related entities across East Asia, with recent evidence showing active campaigns against organizations in Myanmar.
The group continues to evolve its toolset, with researchers identifying multiple variants of ToneShell deployed across different targets, each exhibiting subtle modifications to evade detection mechanisms.
Zscaler ThreatLabz researchers identified three distinct ToneShell variants during their investigation, each utilizing different legitimate executables for DLL sideloading.
The first variant was discovered in an archive named “cf.rar” containing “mrender.exe” and the malicious “libcef.dll”; the second in “ru.zip” with “FastVD.exe” and “LogMeIn.dll”; and the third in “zz.rar” with “gpgconf.exe” and “libgcrypt20.dll”.
Infection mechanism
The infection mechanism relies heavily on DLL sideloading, a technique where Windows loads a malicious DLL in place of a legitimate one by exploiting the system’s DLL search order.
.webp)
When the victim executes the legitimate application, Windows attempts to load its required DLLs, inadvertently loading the malicious DLL placed alongside the legitimate executable.
This approach is particularly effective as it appears to run legitimate software while simultaneously executing malicious code.
The malicious DLLs implement sophisticated capabilities, including a custom network protocol using FakeTLS headers to disguise malicious traffic.
Newer variants have begun spoofing TLSv1.3 (using header bytes 0x17 0x03 0x04) instead of the previously observed TLSv1.2, demonstrating the threat actor’s continued efforts to evade detection.
Communication with command and control servers is encrypted using rolling XOR keys of variable lengths (from 0x100 to 0x200 bytes), generated through custom linear congruential generators with seeds derived from system time.
Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy
