Microsoft App-V Tool Becomes New Weapon for Chinese Hackers to Avoid Detection

Introduction

Cybersecurity researchers have recently uncovered a sophisticated cyber-espionage campaign conducted by the Chinese Advanced Persistent Threat (APT) group known as Mustang Panda. The group has been found leveraging Microsoft Application Virtualization Injector (MAVInject.exe) as a Living-Off-the-Land Binary (LOLBIN) to stealthily inject malicious payloads into legitimate processes, thereby bypassing antivirus detection mechanisms. This evasion technique was uncovered by security analysts at Trend Micro, who have tracked this threat actor under the codename “Earth Preta.”

Background on Mustang Panda

Mustang Panda is a well-known Chinese cyber-espionage group with a history of targeting government agencies, think tanks, non-governmental organizations (NGOs), and law enforcement entities. The group has been active for several years and has employed various sophisticated tactics to infiltrate high-value targets. Past campaigns have included malware distribution through Google Drive, the deployment of custom evasive backdoors, and worm-based attack methodologies.

Trend Micro has reported that since 2022, the group has successfully compromised over 200 victims, primarily in the Asia-Pacific region. Their primary attack vector remains spear-phishing emails that impersonate official communications from government entities.

Attack Methodology

Mustang Panda’s recent campaign follows a structured attack pattern that involves social engineering, payload delivery, execution, and persistence mechanisms. The attack begins with a spear-phishing email containing a malicious attachment, specifically a dropper file (IRSetup.exe). This dropper is a Setup Factory installer that, when executed, deploys multiple files into the victim’s machine at the location C:\ProgramData\session.

Among the files dropped are:

• Legitimate Windows binaries
• Malicious components
• A decoy PDF file designed to distract the user while the malware operates in the background

Exploiting Microsoft Application Virtualization Injector

To bypass antivirus detection, Mustang Panda employs an evasive technique that takes advantage of the MAVInject.exe tool, a legitimate Windows component primarily used for injecting code into running processes. MAVInject.exe is designed for Microsoft’s Application Virtualization (App-V) platform but can also be exploited by attackers to execute DLLs inside another process.

This technique enables the attackers to inject malicious payloads into waitfor.exe, another legitimate Windows binary. The waitfor.exe utility is typically used to synchronize tasks across networked machines and is commonly employed in batch scripting and automation tasks.

By injecting malware into waitfor.exe, the malicious payload masquerades as a legitimate system process, effectively evading detection by ESET antivirus products (e.g., ekrn.exe or egui.exe) and potentially other security solutions.

Payload Execution and Malware Capabilities

The malware injected into waitfor.exe is a modified version of the TONESHELL backdoor. This malicious payload is delivered through a DLL file named EACore.dll, which provides remote attackers with:

• System reconnaissance capabilities: The malware collects system information and transmits it to a command and control (C2) server.
• Persistent remote access: Attackers gain a reverse shell to execute arbitrary commands on the infected machine.
• File operations: The malware can move, delete, and modify files as needed to maintain its foothold.
• C2 Communication: The malware communicates with its C2 server at militarytc[.]com:443, exfiltrating victim data and awaiting further instructions.

Implications and Threat Mitigation

Mustang Panda’s use of MAVInject.exe as a LOLBIN demonstrates an evolution in their tactics, techniques, and procedures (TTPs). By leveraging pre-installed Windows tools, they minimize their footprint and increase their chances of remaining undetected by security solutions. Organizations, particularly those in government and critical infrastructure sectors, should adopt the following security measures to mitigate the threat:

1. Application Whitelisting

Implementing application whitelisting can help prevent the execution of unauthorized processes, including MAVInject.exe in environments where App-V is not used.

2. Behavior-Based Detection

Traditional signature-based antivirus solutions may fail to detect this form of attack. Organizations should deploy behavior-based detection systems capable of identifying anomalous process injections and privilege escalations.

3. Endpoint Detection and Response (EDR) Solutions

EDR tools provide enhanced visibility into system activities and can help detect and block suspicious process injections.

4. User Awareness and Phishing Prevention

Since spear-phishing is the primary initial infection vector, training employees to recognize and report phishing emails is crucial in preventing successful intrusions.

5. Network Segmentation and Monitoring

Organizations should segment their networks to limit lateral movement in case of a breach. Additionally, monitoring network traffic for suspicious C2 communications can help detect compromised systems.

Conclusion

The recent campaign by Mustang Panda highlights the growing trend of APT groups exploiting legitimate system tools to carry out stealthy cyber-espionage operations. By abusing MAVInject.exe and other built-in Windows utilities, attackers can effectively evade traditional security defenses and maintain long-term persistence in compromised networks.

As the threat landscape continues to evolve, organizations must adopt a proactive security approach, combining advanced threat intelligence, behavioral analytics, and strong endpoint defenses to thwart these sophisticated attacks. The discovery of Mustang Panda’s tactics reinforces the need for continuous vigilance, updated security protocols, and robust defense mechanisms to counter state-sponsored cyber threats.