In current weeks, cybersecurity analysts have noticed a resurgence of the Mustang Panda risk actor deploying a novel DLL side-loading method to ship malicious payloads.
Rising in June 2025, this marketing campaign leverages politically themed lures focusing on Tibetan advocacy teams.
Victims obtain a ZIP archive containing a decoy executable named Voice for the Unvoiced Pictures.exe alongside a hidden dynamic-link library, libjyy.dll, marked with system and hidden attributes to evade informal inspection.
When executed, the decoy hundreds this hid library by way of LoadLibraryW, triggering the obscure malware routine beneath the guise of professional software program.
Mustang Panda’s assault chain begins with a phishing e mail carrying the ZIP container. As soon as opened, Explorer hides the malicious DLL because of its mixed “hidden” and “system” flags.
Hidden DLL within the listing (Supply – 0x0d4y.weblog)
The decoy executable then dynamically hundreds libjyy.dll by resolving the ProcessMain entry level and invoking it.
At this stage, 0x0d4y Malware Researcher famous that this loader employs dynamic API decision and string decryption routines to obscure its habits, making static detection far more difficult.
After initializing, the malicious DLL decrypts its core payloads, units up persistence by way of a number of strategies (registry run keys and scheduled duties), and at last extracts shellcode for execution.
The persistence logic first renames each the decoy and the loader to %SystemRootpercentAdobelicensinghelper.exe and registers a run key named AdobeLicensingHelper underneath HKCUSoftwareMicrosoftWindowsCurrentVersionRun.
ProcessMain (Supply – 0x0d4y.weblog)
It then creates a scheduled process, executed each two minutes, to relaunch the loader with the required Licensing argument.
An infection Mechanism
Mustang Panda’s an infection mechanism hinges on the DLL side-loading T1574.006 method, dubbed “ClaimLoader.”
The loader executable incorporates minimal import references, as an alternative dynamically decrypting API names at runtime.
A easy XOR routine with key 0x19 decodes encrypted strings earlier than invoking LoadLibraryW and GetProcAddress.
For instance:-
mov edx,
mov ecx,
; XOR decryption loop
decrypt_loop:
mov al, [ecx]
xor al, 0x19
mov [ecx], al
inc ecx
dec edx
jnz decrypt_loop
; After decryption, load API dynamically
push
name decryptstrloadapi
name eax ; resolved API name
This code snippet illustrates how the loader avoids static imports and hides its true intentions till execution.
As soon as the true payload library is loaded, it makes use of a secondary customized XOR algorithm—biking by means of a four-byte key array [0x01, 0x02, 0x03, 0x04]—to decrypt a Schtasks command string in reminiscence.
The decoded command schedules the loader to run periodically:-
schtasks /Create /TN AdobeExperienceManager /SC MINUTE /MO 2 /TR “C:WindowsAdobelicensinghelper.exe Licensing” /F
Following these steps, the loader allocates executable reminiscence by way of VirtualAlloc, copies shellcode, and abuses the EnumFontsW callback mechanism to execute it.
The shellcode then performs API hashing to resolve community capabilities and exfiltrate system knowledge to a command-and-control server.
By means of these layered strategies, Mustang Panda stays particularly elusive, mixing well-known Home windows APIs with dynamic loading and obfuscation to thwart conventional endpoint defenses.
Comply with us on Google Information, LinkedIn, and X to Get Extra Prompt Updates, Set CSN as a Most well-liked Supply in Google.
