{"id":108829,"date":"2025-04-03T17:00:05","date_gmt":"2025-04-03T09:00:05","guid":{"rendered":"https:\/\/version-2.com\/?p=108829"},"modified":"2025-06-18T16:02:25","modified_gmt":"2025-06-18T08:02:25","slug":"adversary-tradecraft-emulating-mustang-pandas-use-of-mavinject-in-recent-campaigns","status":"publish","type":"post","link":"https:\/\/version-2.com\/zh\/2025\/04\/adversary-tradecraft-emulating-mustang-pandas-use-of-mavinject-in-recent-campaigns\/","title":{"rendered":"Adversary Tradecraft: Emulating Mustang Panda\u2019s Use of MAVInject in Recent Campaigns"},"content":{"rendered":"\t\t<div data-elementor-type=\"wp-post\" data-elementor-id=\"108829\" class=\"elementor elementor-108829\">\n\t\t\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-35fe5dd post-content elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"35fe5dd\" data-element_type=\"section\" data-e-type=\"section\" data-settings=\"{&quot;jet_parallax_layout_list&quot;:[{&quot;jet_parallax_layout_image&quot;:{&quot;url&quot;:&quot;&quot;,&quot;id&quot;:&quot;&quot;,&quot;size&quot;:&quot;&quot;},&quot;_id&quot;:&quot;cef08c3&quot;,&quot;jet_parallax_layout_image_tablet&quot;:{&quot;url&quot;:&quot;&quot;,&quot;id&quot;:&quot;&quot;,&quot;size&quot;:&quot;&quot;},&quot;jet_parallax_layout_image_mobile&quot;:{&quot;url&quot;:&quot;&quot;,&quot;id&quot;:&quot;&quot;,&quot;size&quot;:&quot;&quot;},&quot;jet_parallax_layout_speed&quot;:{&quot;unit&quot;:&quot;%&quot;,&quot;size&quot;:50,&quot;sizes&quot;:[]},&quot;jet_parallax_layout_type&quot;:&quot;scroll&quot;,&quot;jet_parallax_layout_direction&quot;:&quot;1&quot;,&quot;jet_parallax_layout_fx_direction&quot;:null,&quot;jet_parallax_layout_z_index&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_x&quot;:50,&quot;jet_parallax_layout_bg_x_tablet&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_x_mobile&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_y&quot;:50,&quot;jet_parallax_layout_bg_y_tablet&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_y_mobile&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_size&quot;:&quot;auto&quot;,&quot;jet_parallax_layout_bg_size_tablet&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_size_mobile&quot;:&quot;&quot;,&quot;jet_parallax_layout_animation_prop&quot;:&quot;transform&quot;,&quot;jet_parallax_layout_on&quot;:[&quot;desktop&quot;,&quot;tablet&quot;]}]}\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-409a2e9a\" data-id=\"409a2e9a\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-5a8be8f elementor-widget elementor-widget-text-editor\" data-id=\"5a8be8f\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><img fetchpriority=\"high\" decoding=\"async\" class=\"alignnone size-full\" src=\"https:\/\/cdn-jnkep.nitrocdn.com\/GTmurwhroBoLJVMAHNGccmBVEhSunPoF\/assets\/images\/optimized\/rev-ed4d356\/graylog.org\/wp-content\/uploads\/2025\/03\/2305_GLLabs_MyFirstLoadBalancer32.jpg.webp\" width=\"1200\" height=\"628\" \/><\/p><div class=\"elementor-widget-container\"><p>In cybersecurity, the adage \u201cwhat\u2019s old is new\u201d continues to hold true as attackers resurface longstanding techniques or repurpose them with new twists and adaptations. The popularization of Living Off the Land Binaries (LOLBins) \u2014 legitimate, Windows-native tools commonly abused for malicious uses \u2014 is a great example of this. Many of these methods have existed for decades yet remain effective in the modern security landscape, especially as many organizations are still ill-advised and unequipped to combat them. Being able to spot Mustang Panda\u2019s use of MAVInject in recent campaigns is very important for security teams.<\/p><p>\u00a0<\/p><p>The LOLBin star for today\u2019s blog is Microsoft Application Virtualization Injector (MAVInject) which is (un)surprisingly still kicking since its first buzz around 2017. We\u2019ll cover its particular role in a novel attack chain reported by <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/25\/b\/earth-preta-mixes-legitimate-and-malicious-components-to-sidestep-detection.html\">Trend Micro<\/a> researchers whereby the threat group Mustang Panda combines legitimate components with malicious payloads to reduce likelihood of detection.<\/p><p>\u00a0<\/p><p>In this blog we\u2019ll emulate the infection chain described in the report and analyze the activity it produces in Graylog. Throughout and at the end of the post, we share threat hunting and detection approaches that you can apply in your own environments.<\/p><p>\u00a0<\/p><h2><strong>Attack Overview<\/strong><\/h2><p>The attack likely starts with a spear-phishing email attachment. When executed by the victim, IRSetup.exe is used to drop multiple files to the system. In the case of the Trend Micro report, the files were placed in a newly created C:\\ProgramData\\session directory.<\/p><p>The report\u2019s execution flow diagram seen below shows how the kill chain progresses from the initial dropper all the way to payload execution, ultimately leading to Command and Control (C2) communication to the attacker-controlled server www[.]militarytc[.]com over port 443.<\/p><p><picture class=\"aligncenter size-large wp-image-30967\"> <source id=\"NjcxOjQ2OA==-1\" srcset=\"https:\/\/cdn-jnkep.nitrocdn.com\/GTmurwhroBoLJVMAHNGccmBVEhSunPoF\/assets\/images\/optimized\/rev-ed4d356\/graylog.org\/wp-content\/uploads\/2025\/03\/Picture1-1024x834.png.webp 1024w, https:\/\/cdn-jnkep.nitrocdn.com\/GTmurwhroBoLJVMAHNGccmBVEhSunPoF\/assets\/images\/optimized\/rev-ed4d356\/graylog.org\/wp-content\/uploads\/2025\/03\/Picture1-300x244.png.webp 300w, https:\/\/cdn-jnkep.nitrocdn.com\/GTmurwhroBoLJVMAHNGccmBVEhSunPoF\/assets\/images\/optimized\/rev-ed4d356\/graylog.org\/wp-content\/uploads\/2025\/03\/Picture1-768x626.png.webp 768w, https:\/\/cdn-jnkep.nitrocdn.com\/GTmurwhroBoLJVMAHNGccmBVEhSunPoF\/assets\/images\/optimized\/rev-ed4d356\/graylog.org\/wp-content\/uploads\/2025\/03\/Picture1-1536x1251.png.webp 1536w, https:\/\/cdn-jnkep.nitrocdn.com\/GTmurwhroBoLJVMAHNGccmBVEhSunPoF\/assets\/images\/optimized\/rev-ed4d356\/graylog.org\/wp-content\/uploads\/2025\/03\/Picture1.png.webp 1819w\" type=\"image\/webp\" sizes=\"(max-width: 800px) 100vw, 800px\" \/> <img decoding=\"async\" id=\"NjcyOjU4NA==-1\" class=\"lazyloaded\" src=\"https:\/\/cdn-jnkep.nitrocdn.com\/GTmurwhroBoLJVMAHNGccmBVEhSunPoF\/assets\/images\/optimized\/rev-ed4d356\/graylog.org\/wp-content\/uploads\/2025\/03\/Picture1-1024x834.png\" sizes=\"(max-width: 800px) 100vw, 800px\" srcset=\"https:\/\/cdn-jnkep.nitrocdn.com\/GTmurwhroBoLJVMAHNGccmBVEhSunPoF\/assets\/images\/optimized\/rev-ed4d356\/graylog.org\/wp-content\/uploads\/2025\/03\/Picture1-1024x834.png 1024w, https:\/\/cdn-jnkep.nitrocdn.com\/GTmurwhroBoLJVMAHNGccmBVEhSunPoF\/assets\/images\/optimized\/rev-ed4d356\/graylog.org\/wp-content\/uploads\/2025\/03\/Picture1-300x244.png 300w, https:\/\/cdn-jnkep.nitrocdn.com\/GTmurwhroBoLJVMAHNGccmBVEhSunPoF\/assets\/images\/optimized\/rev-ed4d356\/graylog.org\/wp-content\/uploads\/2025\/03\/Picture1-768x626.png 768w, https:\/\/cdn-jnkep.nitrocdn.com\/GTmurwhroBoLJVMAHNGccmBVEhSunPoF\/assets\/images\/optimized\/rev-ed4d356\/graylog.org\/wp-content\/uploads\/2025\/03\/Picture1-1536x1251.png 1536w, https:\/\/cdn-jnkep.nitrocdn.com\/GTmurwhroBoLJVMAHNGccmBVEhSunPoF\/assets\/images\/optimized\/rev-ed4d356\/graylog.org\/wp-content\/uploads\/2025\/03\/Picture1.png 1819w\" alt=\"Attack flow chart\" width=\"800\" height=\"652\" \/> <\/picture><\/p><p>\u00a0<\/p><h2><strong>Key elements<\/strong><\/h2><ul><li>exe opens a decoy PDF to distract the victim while the malicious payload is deployed in the background.<\/li><li>The legitimate Electronic Arts (EA) application OriginLegacyCLI.exe is executed to sideload EACore.dll, which contains the actual malicious functionality. The DLL is a modified version of Mustang Panda\u2019s TONESHELL backdoor.<\/li><li>The malware checks if ESET security software is running on the host by looking for its associated processes ekrn.exe or egui.exe.<\/li><li>If present, it uses MAVInject to inject itself into the legitimate Windows application waitfor.exe and triggers code that establishes the connection to its C2 server.<\/li><li>Otherwise, MAVInject is skipped and the code is directly injected into waitfor.<\/li><\/ul><p>\u00a0<\/p><p>\u201cDLL? Sideloading?? Injection???\u201d, one might be thinking as they read through that. Not to worry, these concepts will be demystified as we emulate the chain ourselves later.<\/p><p>\u00a0<\/p><p>It seems that Mustang Panda might\u2019ve found this use of MAVInject to fly under the radar of ESET software specifically, though that remains unclear \u2013 ESET since responded that this technique is not a bypass to its protections.<\/p><p>\u00a0<\/p><h2><strong>Persistence<\/strong><\/h2><p><strong>\u00a0<\/strong>While researching this attack, we came across a report on <a href=\"https:\/\/any.run\/report\/31d843ccad9a3d38e4d83e8c9729e47465fd587d573b2c6636f39ef11bd9717e\/3fe63d5a-8bcd-4883-9f0e-806b5ca37be3\">Any.Run<\/a> that exhibits a similar kill chain. It includes a persistence mechanism via registry Run key that wasn\u2019t mentioned in the original report.<\/p><p><picture class=\"aligncenter size-large wp-image-30969\"><img decoding=\"async\" class=\"alignnone size-full\" src=\"https:\/\/cdn-jnkep.nitrocdn.com\/GTmurwhroBoLJVMAHNGccmBVEhSunPoF\/assets\/images\/optimized\/rev-ed4d356\/graylog.org\/wp-content\/uploads\/2025\/03\/Picture2-1024x222.png.webp\" width=\"1024\" height=\"222\" \/><\/picture><\/p><p>This mechanism enables the malware to maintain its foothold on the compromised host. Even if the system is restarted, it will be re-infected once the user logs in.<\/p><p>\u00a0<\/p><h2><strong>Emulating the Adversary<\/strong><\/h2><p>\u00a0<\/p><h3><strong>Lab setup<\/strong><\/h3><p>To emulate and analyze the attack, we\u2019ve set up a lab environment with Graylog Enterprise 6.1.7 and Illuminate <a href=\"https:\/\/go2docs.graylog.org\/illuminate-current\/content_packs\/windows_security_event_logs_content_pack.html\">Windows Security Event Logs Content Pack<\/a> enabled to parse, normalize and enrich the logs. <a href=\"https:\/\/graylog.org\/products\/security\/\">Graylog Security<\/a> is also included to integrate Sigma rule detections.<\/p><p>\u00a0<\/p><p>A Windows Server 2022 system will serve as our \u201cvictim host\u201d. Its configuration sends System, Security, PowerShell\/Operational, and Defender event logs via <a href=\"https:\/\/go2docs.graylog.org\/current\/getting_in_log_data\/graylog_sidecar.html\">Graylog Sidecar<\/a> to our Graylog instance. Auditing is explicitly enabled for process execution (command line included), registry changes in commonly abused locations, and file system changes in the ProgramData folder.<\/p><p>\u00a0<\/p><p>We\u2019ve built custom binaries \u2014 programs, that is \u2014 that closely mimic the malware\u2019s core functionality based on Trend Micro\u2019s analysis, all bundled into a custom IRSetup dropper. To trigger the Mavinject flow, we placed \u201cdummy\u201d programs that mimic ESET running processes. This works because the malware only checks for the process names.<\/p><p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full\" src=\"https:\/\/cdn-jnkep.nitrocdn.com\/GTmurwhroBoLJVMAHNGccmBVEhSunPoF\/assets\/images\/optimized\/rev-ed4d356\/graylog.org\/wp-content\/uploads\/2025\/03\/Picture3.png\" width=\"624\" height=\"307\" \/><\/p><p>\u00a0<\/p><h3><strong>Detonating the mimic malware<\/strong><\/h3><p>Aaaaand, detonate\ud83d\udca5!<\/p><p><picture class=\"aligncenter wp-image-30971 size-large\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full\" src=\"https:\/\/cdn-jnkep.nitrocdn.com\/GTmurwhroBoLJVMAHNGccmBVEhSunPoF\/assets\/images\/optimized\/rev-ed4d356\/graylog.org\/wp-content\/uploads\/2025\/03\/Picture4-1024x258.png.webp\" width=\"1024\" height=\"258\" \/><\/picture><\/p><p>We see that the mimic dropper wrote files to the ProgramData\\session folder and auto-launched the decoy PDF. Waitfor.exe is also running in Task Manager.<\/p><p>\u00a0<\/p><p><picture class=\"aligncenter wp-image-30973 size-large\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full\" src=\"https:\/\/cdn-jnkep.nitrocdn.com\/GTmurwhroBoLJVMAHNGccmBVEhSunPoF\/assets\/images\/optimized\/rev-ed4d356\/graylog.org\/wp-content\/uploads\/2025\/03\/Picture5-1024x376.png.webp\" width=\"1024\" height=\"376\" \/><\/picture><\/p><p>\u00a0<\/p><p><picture class=\"aligncenter wp-image-30974 size-large\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full\" src=\"https:\/\/cdn-jnkep.nitrocdn.com\/GTmurwhroBoLJVMAHNGccmBVEhSunPoF\/assets\/images\/optimized\/rev-ed4d356\/graylog.org\/wp-content\/uploads\/2025\/03\/Picture6-1024x450.png.webp\" width=\"1024\" height=\"450\" \/><\/picture><\/p><p>\u00a0<\/p><p>It looks like the infection chain of our mimic malware followed through. Let\u2019s hop over to Graylog to get a detailed view of the activity that occurred.<\/p><p>\u00a0<\/p><h3><strong>IRSetup dropper<\/strong><\/h3><p><strong>\u00a0<\/strong>IRSetup.exe itself isn\u2019t malware \u2014 it\u2019s created using a legitimate Windows software installer builder named Setup Factory, in this case abused to drop and execute the malicious files. Attackers favor legitimate tools to blend into environments and make it harder for detection logic to separate malicious from benign activity. It also saves them the trouble of implementing these components themselves.<\/p><p>\u00a0<\/p><p>While we don\u2019t have the actual Setup Factory installer, our mimic dropper does replicate its main function. In the screenshot below we see activity marking the beginning of the infection, sorted by ascending time (read top to bottom):<\/p><ol><li>Event ID 4688 (process creation) shows IRSetup.exe being executed<\/li><li>This is followed by file system events where the installer writes the PDF, EACore.dll, and OriginLegacyCLI.exe files to C:\\ProgramData\\session<\/li><li>The installer proceeds to execute OriginLegacyCLI.exe<\/li><\/ol><p>\u00a0<\/p><p><picture class=\"aligncenter wp-image-30978 size-full\" title=\"Processes being run shown in logs\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full\" src=\"https:\/\/cdn-jnkep.nitrocdn.com\/GTmurwhroBoLJVMAHNGccmBVEhSunPoF\/assets\/images\/optimized\/rev-ed4d356\/graylog.org\/wp-content\/uploads\/2025\/03\/Picture7-1.png.webp\" width=\"1999\" height=\"746\" \/><\/picture><\/p><p>\u00a0<\/p><p>This is where the fun begins (props if you know that reference). Shown below is the rest of the infection chain following OriginLegacyCLI.exe execution. We\u2019ll break down each part and write some threat hunting queries along the way.<\/p><p>\u00a0<\/p><p><picture class=\"aligncenter wp-image-30976 size-full\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full\" src=\"https:\/\/cdn-jnkep.nitrocdn.com\/GTmurwhroBoLJVMAHNGccmBVEhSunPoF\/assets\/images\/optimized\/rev-ed4d356\/graylog.org\/wp-content\/uploads\/2025\/03\/Picture8.png.webp\" width=\"1999\" height=\"746\" \/><\/picture><\/p><p>\u00a0<\/p><h3><strong>EACore DLL sideloading<\/strong><\/h3><p><strong>\u00a0<\/strong><\/p><p>OriginLegacyCLI.exe gets executed in block 1. We don\u2019t have the visibility from these Windows events to see EACore.dll getting sideloaded as a result (<a href=\"https:\/\/learn.microsoft.com\/en-us\/sysinternals\/downloads\/sysmon\">Sysmon<\/a> would help with that), but we can infer that it happened based on the activity following.<\/p><p><strong> <img loading=\"lazy\" decoding=\"async\" id=\"NzU5OjY5Ng==-1\" class=\"aligncenter wp-image-30979 size-full nitro-lazy\" src=\"data:image\/svg+xml;base64,PHN2ZyB2aWV3Qm94PSIwIDAgMTc5OSA4NiIgd2lkdGg9IjE3OTkiIGhlaWdodD0iODYiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyI+PC9zdmc+\" sizes=\"(max-width: 1799px) 100vw, 1799px\" alt=\"OriginLevacy CLI Exe shown in logs from Mustang Panda\u2019s Use of MAVInject\" width=\"1799\" height=\"86\" \/><\/strong><\/p><p><strong> <img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full\" src=\"https:\/\/cdn-jnkep.nitrocdn.com\/GTmurwhroBoLJVMAHNGccmBVEhSunPoF\/assets\/images\/optimized\/rev-ed4d356\/graylog.org\/wp-content\/uploads\/2025\/03\/Picture9.png\" width=\"1799\" height=\"86\" \/><\/strong><\/p><p>So, what is <strong>DLL sideloading<\/strong>? Before that even, what\u2019s a DLL?<\/p><p>\u00a0<\/p><p>A DLL, or Dynamic Link Library, is a shared file used by Windows programs to perform certain functions without having to include all the necessary code within the program itself. Developers <strong>load<\/strong> and <strong>import<\/strong> ready-made code libraries from DLLs into their applications so they don\u2019t have to reinvent functionality that\u2019s already been written.<\/p><p>\u00a0<\/p><p><a href=\"https:\/\/attack.mitre.org\/techniques\/T1574\/002\/\">DLL sideloading<\/a> is a technique where a legitimate application unknowingly loads a malicious DLL instead of the intended one, allowing attackers to execute their code while appearing legitimate. It\u2019s similar to <a href=\"https:\/\/attack.mitre.org\/techniques\/T1574\/001\/\">DLL hijacking<\/a>, the difference being that the attacker places the trojanized DLL alongside the target application EXE and directly invokes the application to proxy execute the DLL.<\/p><p>\u00a0<\/p><p>In the Mustang Panda infection chain, the attacker positions the legitimate, signed 3rd-party application OriginLegacyCLI.exe and a tampered EACore.dll in the same directory. When OriginLegacyCLI.exe runs, it follows a search order to look for the DLL it needs by name, in this case \u201cEACore.dll\u201d, and load it.<\/p><p>\u00a0<\/p><p><picture class=\"aligncenter wp-image-30980 size-full\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full\" src=\"https:\/\/cdn-jnkep.nitrocdn.com\/GTmurwhroBoLJVMAHNGccmBVEhSunPoF\/assets\/images\/optimized\/rev-ed4d356\/graylog.org\/wp-content\/uploads\/2025\/03\/Picture10.png.webp\" width=\"573\" height=\"546\" \/><\/picture><\/p><p>\u00a0<\/p><p>DLLs in the same folder as the application take priority in the search order hierarchy. OriginLegacyCLI finds that the backdoored EACore.dll matches its search first, and loads it unaware that it\u2019s been swapped. Upon load or import of functionality, the malicious code housed in the DLL gets executed.<\/p><p>\u00a0<\/p><p>This method is highly effective because it exploits trust in legitimate applications and is difficult to identify, helping malware evade security detections. For this reason it\u2019s often a preferred execution method by Red Teams and threat actors alike.<\/p><p><strong>\u00a0<\/strong><\/p><h3><strong>ESET check and RegSvr32<\/strong><\/h3><p><strong>\u00a0<\/strong><\/p><p>At this point the malicious code in EACore is running under the mask of OriginLegacyCLI, and we move to block 2.<\/p><p>\u00a0<\/p><p>According to the Trend Micro report, the malware checks for ESET running on the system and, if present, \u201cregisters EACore.dll using regsvr32.exe to execute the DLLRegisterServer function\u201d, seen in the command line:<\/p><p>\u201cC:\\Windows\\System32\\regsvr32.exe\u201d \/s \u201cC:\\ProgramData\\session\\EACore.dll\u201d<\/p><p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full\" src=\"https:\/\/cdn-jnkep.nitrocdn.com\/GTmurwhroBoLJVMAHNGccmBVEhSunPoF\/assets\/images\/optimized\/rev-ed4d356\/graylog.org\/wp-content\/uploads\/2025\/03\/Picture11.png\" width=\"1798\" height=\"86\" \/><\/p><p><img loading=\"lazy\" decoding=\"async\" id=\"Nzg2OjY3OA==-1\" class=\"aligncenter wp-image-30981 size-full nitro-lazy\" src=\"data:image\/svg+xml;base64,PHN2ZyB2aWV3Qm94PSIwIDAgMTc5OCA4NiIgd2lkdGg9IjE3OTgiIGhlaWdodD0iODYiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyI+PC9zdmc+\" sizes=\"(max-width: 1798px) 100vw, 1798px\" alt=\"EACORE dll being run for Mustang Panda\u2019s Use of MAVInject\" width=\"1798\" height=\"86\" \/><\/p><p>\u00a0<\/p><p>Put simply, RegSvr32 is a Windows utility that can be abused to <a href=\"https:\/\/attack.mitre.org\/techniques\/T1218\/010\/\">proxy execute<\/a> malicious code. Instead of EACore invoking its own function, it takes the long way of having RegSvr32 do it. The result is the start of the next infection phase now under the parent process of regsvr32.exe.<\/p><p>\u00a0<\/p><p>Again, we see the use of a built-in Windows utility in an attempt to thwart detections.<\/p><p>\u00a0<\/p><h3><strong>DLL injection via MAVInject<\/strong><\/h3><p><strong>\u00a0<\/strong><\/p><p>Now for what we\u2019ve all been waiting for. If you\u2019re here, you\u2019ve probably weathered the technical hailstorm that was the last few sections, and to that I give a swift salute.<\/p><p>\u00a0<\/p><p>We\u2019re now in block 4, where we see waitfor.exe process creation followed by DLL injection into that process using MAVInject.<\/p><p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full\" src=\"https:\/\/cdn-jnkep.nitrocdn.com\/GTmurwhroBoLJVMAHNGccmBVEhSunPoF\/assets\/images\/optimized\/rev-ed4d356\/graylog.org\/wp-content\/uploads\/2025\/03\/Picture12.png\" width=\"1916\" height=\"172\" \/><\/p><p><img loading=\"lazy\" decoding=\"async\" id=\"Nzk4OjcwOQ==-1\" class=\"aligncenter wp-image-30982 size-full nitro-lazy\" src=\"data:image\/svg+xml;base64,PHN2ZyB2aWV3Qm94PSIwIDAgMTkxNiAxNzIiIHdpZHRoPSIxOTE2IiBoZWlnaHQ9IjE3MiIgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIj48L3N2Zz4=\" sizes=\"(max-width: 1916px) 100vw, 1916px\" alt=\"waitfor process and dll injection using MAVInject for Mustang Panda\u2019s Use of MAVInject\" width=\"1916\" height=\"172\" \/><\/p><p>\u00a0<\/p><p>So, <strong>DLL injection<\/strong>.<\/p><p><picture class=\"aligncenter wp-image-30984 size-full\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full\" src=\"https:\/\/cdn-jnkep.nitrocdn.com\/GTmurwhroBoLJVMAHNGccmBVEhSunPoF\/assets\/images\/optimized\/rev-ed4d356\/graylog.org\/wp-content\/uploads\/2025\/03\/Picture13.png.webp\" width=\"518\" height=\"336\" \/><\/picture><\/p><p>\u00a0<\/p><p>In this context, <a href=\"https:\/\/attack.mitre.org\/techniques\/T1055\/001\/\">DLL injection<\/a> is a method of executing malicious code inside of another, often legitimate, running process. It takes a DLL and forces the separate process to load and execute it, enabling malicious activity under the guise of that process.<\/p><p>\u00a0<\/p><p>As we see above, the malware first launches the legitimate Windows program waitfor.exe with the intent to inject into it.<\/p><p>\u201cC:\\Windows\\SysWOW64\\waitfor.exe\u201d \u201cEvent19030087251541\u201d<\/p><p>\u00a0<\/p><p>It captures the process ID (PID) 6896 of the newly spawned waitfor.exe to be referenced during injection.<\/p><p>It then runs Mavinject.exe to inject itself, EACore.dll, into waitfor.exe referencing its PID 6896.<\/p><p>\u201cC:\\Windows\\SysWOW64\\mavinject.exe\u201d 6896 \/INJECTRUNNING \u201cC:\\ProgramData\\session\\EACore.dll\u201d<\/p><p>\u00a0<\/p><p>Once EACore.dll is injected into waitfor.exe, it establishes a network connection to the C2 server for control over the compromised system.<\/p><p><picture class=\"aligncenter wp-image-30985 size-full\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full\" src=\"https:\/\/cdn-jnkep.nitrocdn.com\/GTmurwhroBoLJVMAHNGccmBVEhSunPoF\/assets\/images\/optimized\/rev-ed4d356\/graylog.org\/wp-content\/uploads\/2025\/03\/Picture14.png.webp\" width=\"996\" height=\"687\" \/><\/picture><\/p><p>\u00a0<\/p><p>That\u2019s the gist. If you\u2019re here for the details, it triggers an execution flow to decrypt, allocate and execute shellcode that opens a reverse shell to the C2 and sends information about the victim host. The C2 server communicates with the host using a custom command protocol.<\/p><p>\u00a0<\/p><p>We can hunt for MAVInject DLL injection using the following query in Graylog.<\/p><p>process_command_line:\/.* \\\/INJECTRUNNING .*\/<\/p><p>\u00a0<\/p><p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full\" src=\"https:\/\/cdn-jnkep.nitrocdn.com\/GTmurwhroBoLJVMAHNGccmBVEhSunPoF\/assets\/images\/optimized\/rev-ed4d356\/graylog.org\/wp-content\/uploads\/2025\/03\/Picture15.png\" width=\"1949\" height=\"318\" \/><img loading=\"lazy\" decoding=\"async\" id=\"ODI4OjY3NQ==-1\" class=\"aligncenter wp-image-30986 size-full nitro-lazy\" src=\"data:image\/svg+xml;base64,PHN2ZyB2aWV3Qm94PSIwIDAgMTk0OSAzMTgiIHdpZHRoPSIxOTQ5IiBoZWlnaHQ9IjMxOCIgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIj48L3N2Zz4=\" sizes=\"(max-width: 1949px) 100vw, 1949px\" alt=\"INJECTRUNNING for Mustang Panda\u2019s Use of MAVInject\" width=\"1949\" height=\"318\" \/><\/p><p>\u00a0<\/p><p>Looking for waitfor.exe spawned under regsvr32.exe is another useful query.<\/p><p>process_name:waitfor.exe AND process_parent_name:regsvr32.exe<\/p><p>\u00a0<\/p><p><picture class=\"aligncenter wp-image-30987 size-full\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full\" src=\"https:\/\/cdn-jnkep.nitrocdn.com\/GTmurwhroBoLJVMAHNGccmBVEhSunPoF\/assets\/images\/optimized\/rev-ed4d356\/graylog.org\/wp-content\/uploads\/2025\/03\/Picture16.png.webp\" width=\"1720\" height=\"602\" \/><\/picture><\/p><p>\u00a0<\/p><h3><strong>Decoy PDF<\/strong><\/h3><p><strong>\u00a0<\/strong><\/p><p>As a little bonus, our mimic dropper also opens the decoy PDF.<\/p><p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full\" src=\"https:\/\/cdn-jnkep.nitrocdn.com\/GTmurwhroBoLJVMAHNGccmBVEhSunPoF\/assets\/images\/optimized\/rev-ed4d356\/graylog.org\/wp-content\/uploads\/2025\/03\/Picture17.png\" width=\"1892\" height=\"86\" \/><img loading=\"lazy\" decoding=\"async\" id=\"ODQzOjY1MA==-1\" class=\"aligncenter wp-image-30988 size-full nitro-lazy\" src=\"data:image\/svg+xml;base64,PHN2ZyB2aWV3Qm94PSIwIDAgMTg5MiA4NiIgd2lkdGg9IjE4OTIiIGhlaWdodD0iODYiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyI+PC9zdmc+\" sizes=\"(max-width: 1892px) 100vw, 1892px\" alt=\"Mimic dropper opens a decoy pdf\" width=\"1892\" height=\"86\" \/><\/p><p>\u00a0<\/p><h3><strong>Run key persistence<\/strong><\/h3><p><strong>\u00a0<\/strong><\/p><p>Going back to the start of this blog post, we identified that the malware might also set autostart persistence in the registry to survive reboots.<\/p><p>\u00a0<\/p><p>In block 3 above, there are registry modification events that show the malware creating a <a href=\"https:\/\/attack.mitre.org\/techniques\/T1547\/001\/\">Run key<\/a> under `HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run`.<\/p><p>\u00a0<\/p><p>Viewing the details of Event ID 4657 (registry value was modified) in Graylog, we see that the key name masquerades as Microsoft Edge Auto Launch. It\u2019s set to execute OriginLegacyCLI.exe (and therefore the EACore.dll TONESHELL backdoor) upon user logon in order to re-infect the system.<\/p><p>\u00a0<\/p><p><picture class=\"aligncenter wp-image-30989 size-full\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full\" src=\"https:\/\/cdn-jnkep.nitrocdn.com\/GTmurwhroBoLJVMAHNGccmBVEhSunPoF\/assets\/images\/optimized\/rev-ed4d356\/graylog.org\/wp-content\/uploads\/2025\/03\/Picture18.png.webp\" width=\"1396\" height=\"588\" \/><\/picture><\/p><p>\u00a0<\/p><p>We can hunt for registry HKCU\\Run key persistence with event IDs 4657 or 4663. Here is an example query using ID 4663 to uncover registry Run key writes from OriginLegacyCLI.exe (Bear in mind that this won\u2019t catch instances where OriginLegacyCLI is renamed or replaced, remove the process_name condition to cover those).<\/p><p>event_code:4663 AND process_name:OriginLegacyCLI.exe AND file_path:\/.*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\/<\/p><p>\u00a0<\/p><p><picture class=\"aligncenter wp-image-30990 size-full\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full\" src=\"https:\/\/cdn-jnkep.nitrocdn.com\/GTmurwhroBoLJVMAHNGccmBVEhSunPoF\/assets\/images\/optimized\/rev-ed4d356\/graylog.org\/wp-content\/uploads\/2025\/03\/Picture19.png.webp\" width=\"1999\" height=\"300\" \/><\/picture><\/p><p><strong>\u00a0<\/strong><\/p><h2><strong>Detections<\/strong><\/h2><p>\u00a0<\/p><p>We recommend the following SigmaHQ rules to detect this attack chain and similar events:<\/p><ul><li><a href=\"https:\/\/raw.githubusercontent.com\/SigmaHQ\/sigma\/refs\/heads\/master\/rules\/windows\/process_creation\/proc_creation_win_lolbin_mavinject_process_injection.yml\">Mavinject Inject DLL Into Running Process<\/a><\/li><li><a href=\"https:\/\/raw.githubusercontent.com\/SigmaHQ\/sigma\/refs\/heads\/master\/rules\/windows\/process_creation\/proc_creation_win_regsvr32_susp_child_process.yml\">Potentially Suspicious Child Process Of Regsvr32<\/a> (waitfor.exe added)<\/li><\/ul><p>\u00a0<\/p><p>We can easily add these rules with Graylog Security. Add the SigmaHQ repository and import all, then search for and enable the rules.<\/p><p>\u00a0<\/p><p><picture class=\"aligncenter size-large wp-image-30991\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full\" src=\"https:\/\/cdn-jnkep.nitrocdn.com\/GTmurwhroBoLJVMAHNGccmBVEhSunPoF\/assets\/images\/optimized\/rev-ed4d356\/graylog.org\/wp-content\/uploads\/2025\/03\/Picture20-1024x442.png.webp\" width=\"1024\" height=\"442\" \/><\/picture><\/p><p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full\" src=\"https:\/\/cdn-jnkep.nitrocdn.com\/GTmurwhroBoLJVMAHNGccmBVEhSunPoF\/assets\/images\/optimized\/rev-ed4d356\/graylog.org\/wp-content\/uploads\/2025\/03\/Picture21-1024x250.png.webp\" width=\"1024\" height=\"250\" \/><\/p><p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full\" src=\"https:\/\/cdn-jnkep.nitrocdn.com\/GTmurwhroBoLJVMAHNGccmBVEhSunPoF\/assets\/images\/optimized\/rev-ed4d356\/graylog.org\/wp-content\/uploads\/2025\/03\/Picture22-1024x69.png.webp\" width=\"1024\" height=\"69\" \/><\/p><p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full\" src=\"https:\/\/cdn-jnkep.nitrocdn.com\/GTmurwhroBoLJVMAHNGccmBVEhSunPoF\/assets\/images\/optimized\/rev-ed4d356\/graylog.org\/wp-content\/uploads\/2025\/03\/Picture23-1024x69.png.webp\" width=\"1024\" height=\"69\" \/><\/p><p>For \u201cPotentially Suspicious Child Process of Regsvr32\u201d you will have to add waitfor.exe to the Image list, like so.<\/p><p>\u00a0<\/p><p><picture class=\"aligncenter wp-image-30995 size-full\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full\" src=\"https:\/\/cdn-jnkep.nitrocdn.com\/GTmurwhroBoLJVMAHNGccmBVEhSunPoF\/assets\/images\/optimized\/rev-ed4d356\/graylog.org\/wp-content\/uploads\/2025\/03\/Picture24.png.webp\" width=\"825\" height=\"784\" \/><\/picture><\/p><p>\u00a0<\/p><p>\u00a0<\/p><h2><strong>Indicators<\/strong><\/h2><p>\u00a0<\/p><p>These indicators will primarily be useful for hunting past intrusions that went unnoticed. They have little effectiveness in detecting future intrusions by Mustang Panda as threat actors tend to burn or alter their tools and infrastructure between campaigns.<\/p><p>\u00a0<\/p><p><strong>OriginLegacyCLI.exe<\/strong> (legitimate application targeted for sideloading) SHA-256:<br \/>91357E6E5A8DB3D9D3B23CE4368425A148683287D917D927EE2BB6E835C87EBE<\/p><p>\u00a0<\/p><p><strong>EACore.dll<\/strong> (modified TONESHELL backdoor) SHA-256:<br \/>DC673D59A6A9DF3D02E83FD03AF80E117BEA20954602AE416540870B1B3D13C4<\/p><p>\u00a0<\/p><p><strong>Registry HKCU\/Run key <\/strong>(persistence mechanism)\u00a0Name:<br \/>MicrosoftEdgeAutoLaunch_DAC5ED36BBAC4D19045B4BAFA91EF8729<\/p><p>Value:<br \/>\u201cc:\\programdata\\session\\OriginLegacyCLI.exe\u201d<\/p><p><strong>www[.]militarytc[.]com:443 <\/strong>(C2 server hostname and port)<\/p><p><strong>193[.]56[.]255[.]179 <\/strong>(C2 server IP address)<\/p><p>\u00a0<\/p><p>In general, look for Mavinject.exe execution and outbound network connections from unexpected Windows programs. Ensure that execution of Potentially Unwanted Programs (PUPs) and unauthorized software is tracked in your environment.<\/p><p>\u00a0<\/p><h2>Graylog Detections<\/h2><p>Graylog has provided the Sigma Rules and Indicators here to share threat detection intelligence with those not running <a href=\"https:\/\/graylog.org\/products\/security\/\">Graylog Security<\/a>. Note that Graylog Security customers receive a content feed including Sigma Rules, Anomaly Detectors, Dashboards, and other content to meet various security use cases.<\/p><p>\u00a0<\/p><p>To learn how Graylog can help you improve your security posture, <a href=\"https:\/\/www.graylog.org\/contact-us\/?hsLang=en\">contact us<\/a> today or <a href=\"https:\/\/go2.graylog.org\/see-demo-multi-dates\">watch a demo<\/a>.<\/p><\/div>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-2004c86 elementor-widget elementor-widget-shortcode\" data-id=\"2004c86\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"shortcode.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-shortcode\">\n\t\t<div data-elementor-type=\"page\" data-elementor-id=\"93504\" class=\"elementor elementor-93504\">\n\t\t\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-6461a578 elementor-section-full_width elementor-section-height-default elementor-section-height-default\" data-id=\"6461a578\" data-element_type=\"section\" data-e-type=\"section\" data-settings=\"{&quot;jet_parallax_layout_list&quot;:[{&quot;_id&quot;:&quot;c4f773e&quot;,&quot;jet_parallax_layout_image&quot;:{&quot;url&quot;:&quot;&quot;,&quot;id&quot;:&quot;&quot;,&quot;size&quot;:&quot;&quot;},&quot;jet_parallax_layout_image_tablet&quot;:{&quot;url&quot;:&quot;&quot;,&quot;id&quot;:&quot;&quot;,&quot;size&quot;:&quot;&quot;},&quot;jet_parallax_layout_image_mobile&quot;:{&quot;url&quot;:&quot;&quot;,&quot;id&quot;:&quot;&quot;,&quot;size&quot;:&quot;&quot;},&quot;jet_parallax_layout_speed&quot;:{&quot;unit&quot;:&quot;%&quot;,&quot;size&quot;:50,&quot;sizes&quot;:[]},&quot;jet_parallax_layout_type&quot;:&quot;scroll&quot;,&quot;jet_parallax_layout_direction&quot;:&quot;1&quot;,&quot;jet_parallax_layout_fx_direction&quot;:null,&quot;jet_parallax_layout_z_index&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_x&quot;:50,&quot;jet_parallax_layout_bg_x_tablet&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_x_mobile&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_y&quot;:50,&quot;jet_parallax_layout_bg_y_tablet&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_y_mobile&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_size&quot;:&quot;auto&quot;,&quot;jet_parallax_layout_bg_size_tablet&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_size_mobile&quot;:&quot;&quot;,&quot;jet_parallax_layout_animation_prop&quot;:&quot;transform&quot;,&quot;jet_parallax_layout_on&quot;:[&quot;desktop&quot;,&quot;tablet&quot;]}]}\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-2f063c39\" data-id=\"2f063c39\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-14e1df2a elementor-widget elementor-widget-text-editor\" data-id=\"14e1df2a\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><strong>About Graylog\u00a0\u00a0<\/strong><br \/>At Graylog, our vision is a secure digital world where organizations of all sizes can effectively guard against cyber threats. We\u2019re committed to turning this vision into reality by providing Threat Detection &amp; Response that sets the standard for excellence. Our cloud-native architecture delivers SIEM, API Security, and Enterprise Log Management solutions that are not just efficient and effective\u2014whether hosted by us, on-premises, or in your cloud\u2014but also deliver a fantastic Analyst Experience at the lowest total cost of ownership. We aim to equip security analysts with the best tools for the job, empowering every organization to stand resilient in the ever-evolving cybersecurity landscape.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t\t\t<div data-elementor-type=\"page\" data-elementor-id=\"18103\" class=\"elementor elementor-18103\">\n\t\t\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-748947f elementor-section-full_width elementor-section-height-default elementor-section-height-default\" data-id=\"748947f\" data-element_type=\"section\" data-e-type=\"section\" data-settings=\"{&quot;jet_parallax_layout_list&quot;:[{&quot;jet_parallax_layout_image&quot;:{&quot;url&quot;:&quot;&quot;,&quot;id&quot;:&quot;&quot;,&quot;size&quot;:&quot;&quot;},&quot;_id&quot;:&quot;c4f773e&quot;,&quot;jet_parallax_layout_image_tablet&quot;:{&quot;url&quot;:&quot;&quot;,&quot;id&quot;:&quot;&quot;,&quot;size&quot;:&quot;&quot;},&quot;jet_parallax_layout_image_mobile&quot;:{&quot;url&quot;:&quot;&quot;,&quot;id&quot;:&quot;&quot;,&quot;size&quot;:&quot;&quot;},&quot;jet_parallax_layout_speed&quot;:{&quot;unit&quot;:&quot;%&quot;,&quot;size&quot;:50,&quot;sizes&quot;:[]},&quot;jet_parallax_layout_type&quot;:&quot;scroll&quot;,&quot;jet_parallax_layout_direction&quot;:&quot;1&quot;,&quot;jet_parallax_layout_fx_direction&quot;:null,&quot;jet_parallax_layout_z_index&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_x&quot;:50,&quot;jet_parallax_layout_bg_x_tablet&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_x_mobile&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_y&quot;:50,&quot;jet_parallax_layout_bg_y_tablet&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_y_mobile&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_size&quot;:&quot;auto&quot;,&quot;jet_parallax_layout_bg_size_tablet&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_size_mobile&quot;:&quot;&quot;,&quot;jet_parallax_layout_animation_prop&quot;:&quot;transform&quot;,&quot;jet_parallax_layout_on&quot;:[&quot;desktop&quot;,&quot;tablet&quot;]}]}\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-7995c19\" data-id=\"7995c19\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-a437045 elementor-widget elementor-widget-image-box\" data-id=\"a437045\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image-box.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-image-box-wrapper\"><div class=\"elementor-image-box-content\"><h3 class=\"elementor-image-box-title\">About Version 2 Digital<\/h3><p class=\"elementor-image-box-description\">Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.\n<br><br>\nThrough an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.<\/p><\/div><\/div>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"<p>2025-04-03 &nbsp;Mustang Panda uses MAVInject to inject malicious code via spear-phishing, repurposing Windows tools. This article details their attack chain and provides detection methods using Graylog and SigmaHQ to counter these stealthy threats.<\/p>\n","protected":false},"author":149011790,"featured_media":112472,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1303,1305,61],"tags":[1077,1304,1319],"class_list":["post-108829","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-graylog","category-1305","category-press-release","tag-1077","tag-graylog","tag-home-page"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.4 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Adversary Tradecraft: Emulating Mustang Panda\u2019s Use of MAVInject in Recent Campaigns - Version 2<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/graylog.org\/post\/adversary-tradecraft-emulating-mustang-pandas-use-of-mavinject-in-recent-campaigns\/\" \/>\n<meta property=\"og:locale\" content=\"zh_HK\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Adversary Tradecraft: Emulating Mustang Panda\u2019s Use of MAVInject in Recent Campaigns - Version 2\" \/>\n<meta property=\"og:description\" content=\"2025-04-03 &nbsp;Mustang Panda uses MAVInject to inject malicious code via spear-phishing, repurposing Windows tools. This article details their attack chain and provides detection methods using Graylog and SigmaHQ to counter these stealthy threats.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/graylog.org\/post\/adversary-tradecraft-emulating-mustang-pandas-use-of-mavinject-in-recent-campaigns\/\" \/>\n<meta property=\"og:site_name\" content=\"Version 2\" \/>\n<meta property=\"article:published_time\" content=\"2025-04-03T09:00:05+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-06-18T08:02:25+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/version-2.com\/wp-content\/uploads\/2025\/06\/post-img-graylog.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1768\" \/>\n\t<meta property=\"og:image:height\" content=\"956\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"tracylamv2\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"\u4f5c\u8005\" \/>\n\t<meta name=\"twitter:data1\" content=\"tracylamv2\" \/>\n\t<meta name=\"twitter:label2\" content=\"\u9810\u8a08\u95b1\u8b80\u6642\u9593\" \/>\n\t<meta name=\"twitter:data2\" content=\"15 \u5206\u9418\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/graylog.org\\\/post\\\/adversary-tradecraft-emulating-mustang-pandas-use-of-mavinject-in-recent-campaigns\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/version-2.com\\\/2025\\\/04\\\/adversary-tradecraft-emulating-mustang-pandas-use-of-mavinject-in-recent-campaigns\\\/\"},\"author\":{\"name\":\"tracylamv2\",\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#\\\/schema\\\/person\\\/011bc7c3731c930bcfeecd52fefb6365\"},\"headline\":\"Adversary Tradecraft: Emulating Mustang Panda\u2019s Use of MAVInject in Recent Campaigns\",\"datePublished\":\"2025-04-03T09:00:05+00:00\",\"dateModified\":\"2025-06-18T08:02:25+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/version-2.com\\\/2025\\\/04\\\/adversary-tradecraft-emulating-mustang-pandas-use-of-mavinject-in-recent-campaigns\\\/\"},\"wordCount\":2120,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/graylog.org\\\/post\\\/adversary-tradecraft-emulating-mustang-pandas-use-of-mavinject-in-recent-campaigns\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/version-2.com\\\/wp-content\\\/uploads\\\/2025\\\/06\\\/post-img-graylog.jpg\",\"keywords\":[\"2025\",\"Graylog\",\"home-page\"],\"articleSection\":[\"Graylog\",\"2025\",\"Press Release\"],\"inLanguage\":\"zh-HK\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/graylog.org\\\/post\\\/adversary-tradecraft-emulating-mustang-pandas-use-of-mavinject-in-recent-campaigns\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/version-2.com\\\/2025\\\/04\\\/adversary-tradecraft-emulating-mustang-pandas-use-of-mavinject-in-recent-campaigns\\\/\",\"url\":\"https:\\\/\\\/graylog.org\\\/post\\\/adversary-tradecraft-emulating-mustang-pandas-use-of-mavinject-in-recent-campaigns\\\/\",\"name\":\"Adversary Tradecraft: Emulating Mustang Panda\u2019s Use of MAVInject in Recent Campaigns - Version 2\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/graylog.org\\\/post\\\/adversary-tradecraft-emulating-mustang-pandas-use-of-mavinject-in-recent-campaigns\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/graylog.org\\\/post\\\/adversary-tradecraft-emulating-mustang-pandas-use-of-mavinject-in-recent-campaigns\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/version-2.com\\\/wp-content\\\/uploads\\\/2025\\\/06\\\/post-img-graylog.jpg\",\"datePublished\":\"2025-04-03T09:00:05+00:00\",\"dateModified\":\"2025-06-18T08:02:25+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/graylog.org\\\/post\\\/adversary-tradecraft-emulating-mustang-pandas-use-of-mavinject-in-recent-campaigns\\\/#breadcrumb\"},\"inLanguage\":\"zh-HK\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/graylog.org\\\/post\\\/adversary-tradecraft-emulating-mustang-pandas-use-of-mavinject-in-recent-campaigns\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"zh-HK\",\"@id\":\"https:\\\/\\\/graylog.org\\\/post\\\/adversary-tradecraft-emulating-mustang-pandas-use-of-mavinject-in-recent-campaigns\\\/#primaryimage\",\"url\":\"https:\\\/\\\/version-2.com\\\/wp-content\\\/uploads\\\/2025\\\/06\\\/post-img-graylog.jpg\",\"contentUrl\":\"https:\\\/\\\/version-2.com\\\/wp-content\\\/uploads\\\/2025\\\/06\\\/post-img-graylog.jpg\",\"width\":1768,\"height\":956},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/graylog.org\\\/post\\\/adversary-tradecraft-emulating-mustang-pandas-use-of-mavinject-in-recent-campaigns\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"\u9996\u9801\",\"item\":\"https:\\\/\\\/version-2.com\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Adversary Tradecraft: Emulating Mustang Panda\u2019s Use of MAVInject in Recent Campaigns\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#website\",\"url\":\"https:\\\/\\\/version-2.com\\\/zh\\\/\",\"name\":\"Version 2\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/version-2.com\\\/zh\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"zh-HK\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#organization\",\"name\":\"Version 2\",\"url\":\"https:\\\/\\\/version-2.com\\\/zh\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"zh-HK\",\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/i0.wp.com\\\/version-2.com\\\/wp-content\\\/uploads\\\/2020\\\/08\\\/v2-hk-hor-4.png?fit=1795%2C335&ssl=1\",\"contentUrl\":\"https:\\\/\\\/i0.wp.com\\\/version-2.com\\\/wp-content\\\/uploads\\\/2020\\\/08\\\/v2-hk-hor-4.png?fit=1795%2C335&ssl=1\",\"width\":1795,\"height\":335,\"caption\":\"Version 2\"},\"image\":{\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#\\\/schema\\\/person\\\/011bc7c3731c930bcfeecd52fefb6365\",\"name\":\"tracylamv2\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"zh-HK\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/9d01d79cbfd8b2e878f5d701a362cc9fca466d33fec977b59706c23c1a2db15c?s=96&d=identicon&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/9d01d79cbfd8b2e878f5d701a362cc9fca466d33fec977b59706c23c1a2db15c?s=96&d=identicon&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/9d01d79cbfd8b2e878f5d701a362cc9fca466d33fec977b59706c23c1a2db15c?s=96&d=identicon&r=g\",\"caption\":\"tracylamv2\"},\"url\":\"https:\\\/\\\/version-2.com\\\/zh\\\/author\\\/tracylamv2\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Adversary Tradecraft: Emulating Mustang Panda\u2019s Use of MAVInject in Recent Campaigns - Version 2","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/graylog.org\/post\/adversary-tradecraft-emulating-mustang-pandas-use-of-mavinject-in-recent-campaigns\/","og_locale":"zh_HK","og_type":"article","og_title":"Adversary Tradecraft: Emulating Mustang Panda\u2019s Use of MAVInject in Recent Campaigns - Version 2","og_description":"2025-04-03 &nbsp;Mustang Panda uses MAVInject to inject malicious code via spear-phishing, repurposing Windows tools. This article details their attack chain and provides detection methods using Graylog and SigmaHQ to counter these stealthy threats.","og_url":"https:\/\/graylog.org\/post\/adversary-tradecraft-emulating-mustang-pandas-use-of-mavinject-in-recent-campaigns\/","og_site_name":"Version 2","article_published_time":"2025-04-03T09:00:05+00:00","article_modified_time":"2025-06-18T08:02:25+00:00","og_image":[{"width":1768,"height":956,"url":"https:\/\/version-2.com\/wp-content\/uploads\/2025\/06\/post-img-graylog.jpg","type":"image\/jpeg"}],"author":"tracylamv2","twitter_card":"summary_large_image","twitter_misc":{"\u4f5c\u8005":"tracylamv2","\u9810\u8a08\u95b1\u8b80\u6642\u9593":"15 \u5206\u9418"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/graylog.org\/post\/adversary-tradecraft-emulating-mustang-pandas-use-of-mavinject-in-recent-campaigns\/#article","isPartOf":{"@id":"https:\/\/version-2.com\/2025\/04\/adversary-tradecraft-emulating-mustang-pandas-use-of-mavinject-in-recent-campaigns\/"},"author":{"name":"tracylamv2","@id":"https:\/\/version-2.com\/zh\/#\/schema\/person\/011bc7c3731c930bcfeecd52fefb6365"},"headline":"Adversary Tradecraft: Emulating Mustang Panda\u2019s Use of MAVInject in Recent Campaigns","datePublished":"2025-04-03T09:00:05+00:00","dateModified":"2025-06-18T08:02:25+00:00","mainEntityOfPage":{"@id":"https:\/\/version-2.com\/2025\/04\/adversary-tradecraft-emulating-mustang-pandas-use-of-mavinject-in-recent-campaigns\/"},"wordCount":2120,"commentCount":0,"publisher":{"@id":"https:\/\/version-2.com\/zh\/#organization"},"image":{"@id":"https:\/\/graylog.org\/post\/adversary-tradecraft-emulating-mustang-pandas-use-of-mavinject-in-recent-campaigns\/#primaryimage"},"thumbnailUrl":"https:\/\/version-2.com\/wp-content\/uploads\/2025\/06\/post-img-graylog.jpg","keywords":["2025","Graylog","home-page"],"articleSection":["Graylog","2025","Press Release"],"inLanguage":"zh-HK","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/graylog.org\/post\/adversary-tradecraft-emulating-mustang-pandas-use-of-mavinject-in-recent-campaigns\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/version-2.com\/2025\/04\/adversary-tradecraft-emulating-mustang-pandas-use-of-mavinject-in-recent-campaigns\/","url":"https:\/\/graylog.org\/post\/adversary-tradecraft-emulating-mustang-pandas-use-of-mavinject-in-recent-campaigns\/","name":"Adversary Tradecraft: Emulating Mustang Panda\u2019s Use of MAVInject in Recent Campaigns - Version 2","isPartOf":{"@id":"https:\/\/version-2.com\/zh\/#website"},"primaryImageOfPage":{"@id":"https:\/\/graylog.org\/post\/adversary-tradecraft-emulating-mustang-pandas-use-of-mavinject-in-recent-campaigns\/#primaryimage"},"image":{"@id":"https:\/\/graylog.org\/post\/adversary-tradecraft-emulating-mustang-pandas-use-of-mavinject-in-recent-campaigns\/#primaryimage"},"thumbnailUrl":"https:\/\/version-2.com\/wp-content\/uploads\/2025\/06\/post-img-graylog.jpg","datePublished":"2025-04-03T09:00:05+00:00","dateModified":"2025-06-18T08:02:25+00:00","breadcrumb":{"@id":"https:\/\/graylog.org\/post\/adversary-tradecraft-emulating-mustang-pandas-use-of-mavinject-in-recent-campaigns\/#breadcrumb"},"inLanguage":"zh-HK","potentialAction":[{"@type":"ReadAction","target":["https:\/\/graylog.org\/post\/adversary-tradecraft-emulating-mustang-pandas-use-of-mavinject-in-recent-campaigns\/"]}]},{"@type":"ImageObject","inLanguage":"zh-HK","@id":"https:\/\/graylog.org\/post\/adversary-tradecraft-emulating-mustang-pandas-use-of-mavinject-in-recent-campaigns\/#primaryimage","url":"https:\/\/version-2.com\/wp-content\/uploads\/2025\/06\/post-img-graylog.jpg","contentUrl":"https:\/\/version-2.com\/wp-content\/uploads\/2025\/06\/post-img-graylog.jpg","width":1768,"height":956},{"@type":"BreadcrumbList","@id":"https:\/\/graylog.org\/post\/adversary-tradecraft-emulating-mustang-pandas-use-of-mavinject-in-recent-campaigns\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"\u9996\u9801","item":"https:\/\/version-2.com\/"},{"@type":"ListItem","position":2,"name":"Adversary Tradecraft: Emulating Mustang Panda\u2019s Use of MAVInject in Recent Campaigns"}]},{"@type":"WebSite","@id":"https:\/\/version-2.com\/zh\/#website","url":"https:\/\/version-2.com\/zh\/","name":"Version 2","description":"","publisher":{"@id":"https:\/\/version-2.com\/zh\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/version-2.com\/zh\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"zh-HK"},{"@type":"Organization","@id":"https:\/\/version-2.com\/zh\/#organization","name":"Version 2","url":"https:\/\/version-2.com\/zh\/","logo":{"@type":"ImageObject","inLanguage":"zh-HK","@id":"https:\/\/version-2.com\/zh\/#\/schema\/logo\/image\/","url":"https:\/\/i0.wp.com\/version-2.com\/wp-content\/uploads\/2020\/08\/v2-hk-hor-4.png?fit=1795%2C335&ssl=1","contentUrl":"https:\/\/i0.wp.com\/version-2.com\/wp-content\/uploads\/2020\/08\/v2-hk-hor-4.png?fit=1795%2C335&ssl=1","width":1795,"height":335,"caption":"Version 2"},"image":{"@id":"https:\/\/version-2.com\/zh\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/version-2.com\/zh\/#\/schema\/person\/011bc7c3731c930bcfeecd52fefb6365","name":"tracylamv2","image":{"@type":"ImageObject","inLanguage":"zh-HK","@id":"https:\/\/secure.gravatar.com\/avatar\/9d01d79cbfd8b2e878f5d701a362cc9fca466d33fec977b59706c23c1a2db15c?s=96&d=identicon&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/9d01d79cbfd8b2e878f5d701a362cc9fca466d33fec977b59706c23c1a2db15c?s=96&d=identicon&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/9d01d79cbfd8b2e878f5d701a362cc9fca466d33fec977b59706c23c1a2db15c?s=96&d=identicon&r=g","caption":"tracylamv2"},"url":"https:\/\/version-2.com\/zh\/author\/tracylamv2\/"}]}},"jetpack_featured_media_url":"https:\/\/version-2.com\/wp-content\/uploads\/2025\/06\/post-img-graylog.jpg","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/pbQRKm-sjj","post_mailing_queue_ids":[],"_links":{"self":[{"href":"https:\/\/version-2.com\/zh\/wp-json\/wp\/v2\/posts\/108829","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/version-2.com\/zh\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/version-2.com\/zh\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/version-2.com\/zh\/wp-json\/wp\/v2\/users\/149011790"}],"replies":[{"embeddable":true,"href":"https:\/\/version-2.com\/zh\/wp-json\/wp\/v2\/comments?post=108829"}],"version-history":[{"count":7,"href":"https:\/\/version-2.com\/zh\/wp-json\/wp\/v2\/posts\/108829\/revisions"}],"predecessor-version":[{"id":112488,"href":"https:\/\/version-2.com\/zh\/wp-json\/wp\/v2\/posts\/108829\/revisions\/112488"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/version-2.com\/zh\/wp-json\/wp\/v2\/media\/112472"}],"wp:attachment":[{"href":"https:\/\/version-2.com\/zh\/wp-json\/wp\/v2\/media?parent=108829"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/version-2.com\/zh\/wp-json\/wp\/v2\/categories?post=108829"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/version-2.com\/zh\/wp-json\/wp\/v2\/tags?post=108829"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}