Scroll to top

Get In Touch
541 Melville Ave, Palo Alto, CA 94301,
Ph: +1.831.705.5448

Work Inquiries
Ph: +1.831.306.6725

Mustang Panda APT Targets Europe with Plugx Malware

Mustang Panda

Mustang Panda is a China-based cyber espionage threat actor that was first observed in 2017 but
may have been conducting operations since at least 2014. Mustang Panda has targeted government
entities, nonprofits, religious, and other non-governmental organizations in the U.S., Europe,
Mongolia, Myanmar, Pakistan, and Vietnam, among others.
Recently,the group has shifted from using archive files to using malicious optical disc
image(ISO)files to deliver a modified version of the PlugX malware, increasing the group’s evasion
against anti-malware solutions targeting Europe. The group employs a four-stage infection chain
that leverages malicious shortcut (LNK)files and DLL search-order-hijacking to load the Plug X
malware into the memory of legitimate software.

PlugX Malware execution flaw

First Stage: PlugX Malware Delivered by ISO Image

This iso image contain Shortcut(LNK) file which looks like a doc file which contain malware.

The tes2022.ucp can be replaced by the software from which you want to take the remote access of the victim system.

The legitimate and malicious executable are placed on the same file path (System Volume Information) to perform DLL Hijacking.

1. Legitimate software through which we replace the malicious exe.

2. Plugx loader

3. Encrypted Malware


Second Stage: DLL Hijacking Execution Chain to Load PlugX Malware

When a victim clicks on the shortcut file, it executes the command line argument mentioned in first stage, which is a technique called DLL hijacking (after the execution of LMIGuardianSvc.exe, it loads LMIGuardianDll.dll aka PlugX loader automatically). Upon execution of the PlugX loader a Microsoft Office Word document opens.

Process tree below shows that the execution of application takes twice and new directory is created which is use by malware to persistence in system.

The PlugX Malware loader decrypts and loads the encrypted shellcode (LMIGuardianDat.dat) inside the LMIGuardianSvc.exe. Injected memory space can be extracted to perform further analysis of decrypted PlugX Malware.

During static analysis, Researchers  identified that the PlugX malware loader used a simple XOR algorithm to decrypt the LMIGuardianDAT.dat (XOR encrypted PlugX shellcode) to avoid signature-based detection from antimalware solutions.

Dll uses 0*47F XOR key to decrypt the malware before executing.

Third Stage: Registry Run Key Persistence

Threat group is abusing window registry run key to persistence in victim system. As you can see registry is update with a new run key called LMIGuardian Update.

Fourth Stage: Command and Control Connection

After a successful execution of PlugX malware, it connects to a remote C2 server which is used to send commands to compromised systems via the PlugX malware and to receive exfiltrated data from a target network.  


Mustang Panda right now uses the Dll Hijacking technique to persist in the network. They are deploying there malware in Ukraine and Europe. They provide the doc file(.doc.lnk) which looks like a microsoft word document.


Implement basic incident response and detection deployments and controls like network IDS, netflow collection, host-logging, and web proxy, alongside human monitoring of detection sources.

  • Employ host-based controls.
  • Filter email correspondence and monitor for malicious attachments.
  • Identify critical data and implement additional network segmentation and special protections for sensitive information, such as multifactor authentication, highly restricted access, and storage systems only accessible via an internal network.
  • Create alerts for disk image file types, such as ISO, and shortcut files, which have been increasingly abused by different threat actors. Furthermore, organizations should consider disabling auto-mounting of ISO or VHD files.
  • Configure intrusion detection systems (IDS), intrusion prevention systems (IPS), or any network defence mechanisms in place to alert on and upon review, consider blocking connection attempts from unrecognized external IP addresses and domains.


Sample File Name(s) SHA-256 Hash 
LMIGuardianDll.dll ee2c8909089f53aafc421d9853c01856b0a9015eba12aa0382e98417d28aef3f 
LMIGuardianDat.dat 8c4926dd32204b6a666b274a78ccfb16fe84bbd7d6bc218a5310970c4c5d9450 
draft letter to European Commission RUSSIAN OIL PRICE CAP sg de.iso 723d804cfc334cad788f86c39c7fb58b42f452a72191f7f39400cf05d980b4f3 
draft letter to European Commission RUSSIAN OIL PRICE CAP sg de.doc.lnk 2c0273394cda1b07680913edd70d3438a098bb4468f16eebf2f50d060cdf4e96 
LMIGuardianSvc.exe renamed (test2022.ucp) 26c855264896db95ed46e502f2d318e5f2ad25b59bdc47bd7ffe92646102ae0d 
Author avatar
Sanadhya Kaushik

Post a comment

Your email address will not be published. Required fields are marked *