Researchers from Trend Micro’s Threat Hunting team have uncovered a new technique employed by the advanced persistent threat (APT) group dubbed Mustang Panda or Earth Preta.
The cyberespionage group has been abusing the Microsoft Application Virtualization Injector (MAVInject.exe) to stealthily inject malicious payloads into waitfor.exe when it detects an ESET antivirus application running. This discovery is a sign of the group’s evolving tactics to bypass security defenses and maintain a foothold in compromised systems.
Sophisticated Evasion Tactics
Earth Preta’s latest campaign uses Setup Factory, an installer builder, to drop and execute malicious payloads while evading detection. The attack chain starts with the execution of IRSetup.exe, which drops multiple files into the ProgramData/session directory. These files are a mix of legitimate executables and harmful components fashioned to fool security software.
A decoy PDF, crafted to appear as an official document, is also deployed to distract victims. In one case, the fake document targeted Thailand-based users, requesting cooperation in creating a whitelist of phone numbers for an anti-crime platform purportedly supported by government agencies.
Leveraging Legitimate Applications
A key component of the attack involves sideloading a modified variant of the TONESHELL backdoor through OriginLegacyCLI.exe, a legitimate application from Electronic Arts (EA). The malware, embedded within EACore.dll, is designed to establish persistence and exfiltrate data while limiting detection.
Once executed, the malware scans for ESET antivirus processes (ekrn.exe or egui.exe). If found, MAVInject.exe is triggered to inject the payload into waitfor.exe, effectively bypassing security measures. If ESET is not detected, the malware uses alternative techniques such as WriteProcessMemory and CreateRemoteThreadEx APIs for code injection.
ESET Responds to Trend Micro’s Research on Mustang Panda Attack – “At 15:30 CET, February 18, 2025, ESET communications teams were made aware of a research blog published by Trend Micro that names ESET “antivirus application” as the target of APT Group Mustang Panda a.k.a. Earth Preta.
We disagree with the published findings that this attack “effectively bypasses ESET antivirus”. This is not a bypass, and we are bemused that Trend Micro did not alert ESET to discuss their findings.
The reported technique is not novel and ESET technology has been protecting against it for many years. Regarding this specific sample of malware, ESET had previously published details about it through its premium Cyber Threat Intelligence service and added specific detection since January. We have attributed the threat to the China-aligned CeranaKeeper APT Group. ESET users are protected against this malware and technique.”
Command-and-Control Communications
This scourge communicates with a command-and-control (C&C) server at www[.]militarytc[.]com:443. It uses encryption to transmit data, including a randomly generated identifier and the infected machine’s computer name. This protocol is consistent with previous Earth Preta variants, albeit with slight modifications, such as a revised handshake mechanism and updated command codes.
Key capabilities of the malware include:
- Reverse shell functionality
- File deletion
- File movement
For persistence, the malware stores the generated victim ID in the current_directory\CompressShaders folder, a technique not seen before in Earth Preta campaigns.
Attribution and Regional Targeting
Trend Micro’s analysis attributes this attack to Earth Preta or Mustang Panda with medium confidence. The group has a checkered past when it comes to targeting government entities, specifically in the Asia-Pacific region. A previous campaign used a variant of DOPLUGS malware to target Taiwan, Vietnam, and Malaysia, among others.
The APT’s reliance on spear-phishing emails and deceptive PDFs is well established, and the shared infrastructure and encryption methods also support the attribution to this APT group.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.