Mustang Panda Deploys PlugX RAT via LNK Through Multi-Stage

Mustang Panda, a well-known Chinese state-sponsored threat group, has been identified executing a sophisticated cyberattack campaign. The group utilizes its signature PlugX remote access tool (RAT) in these operations, as detailed in a recent The group used a cleverly disguised fake browser update to trick users into downloading a multi-stage malware loader that quietly installed itself on victim systems and began communicating with a remote command server, all without raising obvious suspicion.

The attack stands out for how carefully each step of the infection is separated from the others. Rather than relying on a single malicious file, the attackers built a tightly linked chain of components that only reveal their full purpose when working together.

This design makes it much harder for security tools to catch the threat by scanning any one file in isolation.

Analysts at BlueCyber identified the malware and published a detailed technical breakdown, noting that the chain began with two suspicious files: Browser_Update.zip and a masqueraded image named iis.jpg, both flagged as malicious by multiple vendors on VirusTotal. 

BlueCyber said in a report shared with Cyber Security News (CSN) that the chain is divided into many small layers, with each stage taking on a specific task, helping the malware reduce static detection indicators and slow down analysis.

The attack was designed to look completely normal at a glance. The dropper, Browser_Updater.exe, opened a convincing fake update window styled after Adobe Acrobat, complete with Install and Cancel buttons, and even carried digital signatures from a Chinese company to appear more trustworthy.

Once a user clicked Install, it silently reached out to a remote server and downloaded what looked like a JPEG image but was actually a hidden MSI installer that dropped three files onto the machine.

Mustang Panda Deploys PlugX RAT

The three files dropped were Avk.exe, Avk.dll, and AVKTray.dat. What made this particularly deceptive is that Avk.exe is a legitimate, properly signed binary from G DATA AntiVirus, used as a cover to load the malicious DLL through a technique called DLL sideloading.

Since the executable carries a valid vendor signature, it raises far fewer security alarms on its own.

Avk.dll served as an intermediate loader, using a runtime hashing technique to resolve Windows APIs without exposing them through static analysis.

It read the encrypted payload inside AVKTray.dat, granted it execute permissions in memory, then triggered execution through a Windows threadpool callback, a method that hides the true origin of execution from security monitoring tools.

The payload inside AVKTray.dat passed through multiple decryption layers, including XOR followed by RC4 decryption using the key VOphJo, before being manually mapped into memory without touching the disk as a normal executable.

After loading, it installed itself into %PUBLIC%GData and wrote a persistence entry to the Windows Run registry key, ensuring it restarts every time the user logs in.

C2 Communication and Command Capabilities

Once installed, the payload connected to its command-and-control server at fruitbrat[.]com over port 443, using HTTPS to blend in with normal web traffic.

It crafted its requests to mimic Microsoft Edge browser activity, making detection at the network level even harder. It also stored a unique client ID in the registry to identify the infected machine to the remote server.

The command capabilities of this implant were extensive. It could download and execute files from the C2, launch processes and capture their output, upload and download file chunks by session, enumerate and delete files, and kill diagnostic tools like iediagcmd.exe to prevent an admin from spotting unusual activity.

Plugin loader stubs in the code also allowed the attackers to push additional capabilities to infected machines whenever needed.

Security analysts recommend watching for Avk.exe, Avk.dll, and AVKTray.dat appearing together in directories like %PUBLIC%GData or %LOCALAPPDATA%pZhozR, and for Run key entries pointing to Avk.exe with trailing numeric arguments.

BlueCyber stresses that tracking the full behavior chain, rather than relying only on individual IOC values, is the most reliable long-term defense against this and future PlugX variants.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.