Chinese state-backed hacking group Mustang Panda, also known as Earth Preta, has been caught using an advanced evasion technique to bypass security defenses, particularly ESET antivirus software. This method involves leveraging MAVInject.exe, a legitimate Windows tool, to inject malware into trusted processes, enabling long-term persistence, data exfiltration, and system control.
By embedding their payloads within legitimate applications and deploying TONESHELL, a powerful backdoor, Mustang Panda ensures that infected machines remain under their control without raising red flags. This latest attack underscores the growing trend of living-off-the-land (LotL) techniques, where threat actors abuse built-in system tools to evade detection.
High bureau, high danger
Mustang Panda’s primary targets include government agencies, military organizations, and strategic industries across multiple regions. The attack typically begins with spear-phishing emails containing a decoy PDF designed to lure victims into executing a malicious installer. Once opened, the malware drops various files and executes an Electronic Arts (EA) OriginLegacyCLI.exe application, which is then hijacked to sideload a rogue DLL (EACore.dll).
By using this strategy, the attackers gain a foothold in the target system, allowing them to:
• Steal sensitive government and defense-related information
• Maintain persistent access for extended espionage campaigns
• Move laterally within the victim’s network
• Avoid detection by traditional antivirus solutions
This aligns with Mustang Panda’s previous campaigns, where they have relied on trojanized applications and sophisticated backdoors to infiltrate high-value targets.
Tapping into trusted tools
One of the most alarming aspects of this attack is the use of MAVInject.exe and waitfor.exe—both legitimate Windows executables—to execute malicious code without triggering security alerts. The attack follows a calculated sequence:
1. Initial execution: The malware deploys a setup file (IRSetup.exe), which acts as a dropper for additional malicious components.
2. Antivirus detection evasion: The malware scans for ESET antivirus processes (ekrn.exe or egui.exe) running on the system. If detected, it executes waitfor.exe, ensuring synchronization between malicious processes.
3. Payload execution via MAVInject.exe: This Windows tool is then used to inject malicious code into waitfor.exe, enabling Mustang Panda to execute commands, exfiltrate files, and maintain covert control over the compromised system.
4. Data exfiltration: Once installed, the malware decrypts embedded shellcode and communicates with a command-and-control (C2) server at www.militarytc[.]com:443, through which attackers issue commands for further exploitation.
This technique is particularly dangerous because it allows attackers to remain undetected for long periods, bypassing antivirus and endpoint security solutions.
Mitigation Measures: The Padlock
To counter Mustang Panda’s latest evasion tactics, organizations must harden their security posture by implementing multiple layers of defense:
• Restrict the execution of MAVInject.exe and waitfor.exe to prevent unauthorized abuse
• Enforce application allowlists to block unapproved software from running on critical systems
• Monitor unusual network traffic to detect C2 communications and data exfiltration attempts
• Deploy endpoint detection and response (EDR) solutions to flag suspicious process injections
• Conduct security awareness training to educate employees about spear-phishing risks and prevent social engineering attacks
As Mustang Panda continues to refine its cyberespionage techniques, proactive monitoring, behavioral analysis, and zero-trust security principles will be critical in detecting and mitigating such stealthy attacks before they cause irreparable damage.
Comments