Earth Preta Abuse Microsoft Application Virtualization Injector To Inject Malicious Payloads

Advanced Persistent Threat (APT) group Earth Preta (a.k.a. Mustang Panda) has been observed weaponizing the Microsoft Application Virtualization Injector (MAVInject.exe) to bypass security software and implant backdoors in government systems across Asia-Pacific regions. To mitigate threats from Earth Preta, organizations should monitor legitimate tools like MAVInject.exe and waitfor.exe for unusual activity, use hunting queries to detect suspicious executions, and disable unused services, such as removing MAVInject.exe if Microsoft App-V isn’t required. MAVInject.exe, a signed Microsoft utility designed for application virtualization, has been repurposed by Earth Preta to inject malicious payloads into the waitfor.exe process—a legitimate Windows networking tool. While the Trend Micro’s Threat Hunting Team noted that this technique allows the group to evade ESET antivirus detection by masking malicious activity under trusted processes. The campaign, analyzed by Trend Micro’s Threat Hunting Team, combines legitimate software with sophisticated code injection to avoid detection. These include legitimate executables (Setup Factory installer), malicious components (EACore.dll, a modified TONESHELL backdoor), and a decoy PDF mimicking a Thai government anti-crime initiative. Additionally, it abuses legitimate processes like OriginLegacyCLI.exe to sideload malicious DLLs, mimicking trusted software behavior to avoid suspicion. Trend Micro attributes this campaign to Earth Preta with medium confidence, citing overlaps in TTPs, C&C infrastructure (militarytc[.]com), and the use of CoCreateGuid for victim identification.

This Cyber News was published on cybersecuritynews.com. Publication date: Tue, 18 Feb 2025 12:25:15 +0000


Cyber News related to Earth Preta Abuse Microsoft Application Virtualization Injector To Inject Malicious Payloads

Earth Preta Abuse Microsoft Application Virtualization Injector To Inject Malicious Payloads - Advanced Persistent Threat (APT) group Earth Preta (a.k.a. Mustang Panda) has been observed weaponizing the Microsoft Application Virtualization Injector (MAVInject.exe) to bypass security software and implant backdoors in government systems across ...
3 weeks ago Cybersecuritynews.com Mustang Panda
Chinese APT Hackers Earth Krahang Exploits Government Exchange Servers - A new Advanced Persistent Threat campaign, dubbed Earth Krahang, has emerged with a focus on infiltrating government entities across the globe. This campaign, active since early 2022, has been linked to a China-nexus threat actor, previously ...
11 months ago Cybersecuritynews.com CVE-2023-32315 CVE-2022-21587 Earth Lusca
Chinese APT Hacks 48 Government Organizations - An advanced persistent threat actor likely operating on behalf of the Chinese government has compromised dozens of foreign government entities worldwide, Trend Micro reports. Referred to as Earth Krahang, the hacking group appears linked to Earth ...
11 months ago Securityweek.com Earth Lusca
Chinese Earth Krahang hackers breach 70 orgs in 23 countries - A sophisticated hacking campaign attributed to a Chinese Advanced Persistent Threat group known as 'Earth Krahang' has breached 70 organizations and targeted at least 116 across 45 countries. According to Trend Micro researchers monitoring the ...
11 months ago Bleepingcomputer.com CVE-2023-32315 CVE-2022-21587 Earth Lusca GALLIUM
Microsoft Incident Response lessons on preventing cloud identity compromise - Microsoft Incident Response is often engaged in cases where organizations have lost control of their Microsoft Entra ID tenant, due to a combination of misconfiguration, administrative oversight, exclusions to security policies, or insufficient ...
1 year ago Microsoft.com
New Balada Injector campaign infects 6,700 WordPress sites - A little over 6,700 WordPress websites using a vulnerable version of the Popup Builder plugin have been infected with the Balada Injector malware in a campaign that launched in mid-December. Initially documented by researchers at Dr. Web who observed ...
1 year ago Bleepingcomputer.com CVE-2023-6000
Chinese hackers abuse Microsoft APP-v tool to evade antivirus - The Chinese APT hacking group "Mustang Panda" has been spotted abusing the Microsoft Application Virtualization Injector utility as a LOLBIN to inject malicious payloads into legitimate processes to evade detection by antivirus software. ...
3 weeks ago Bleepingcomputer.com Mustang Panda
Chinese APT 'Earth Krahang' Compromises 48 Gov't Orgs on 5 Continents - A previously unidentified Chinese espionage group has managed to breach at least 70 organizations across 23 countries, including 48 in the government space, despite using rather standard-fare tactics, techniques, and procedures. Fitting such a ...
11 months ago Darkreading.com CVE-2023-32315 CVE-2022-21587 BlackTech Mustang Panda Volt Typhoon
Earth Lusca - Earth Lusca is a suspected China-based cyber espionage group that has been active since at least April 2019. Earth Lusca has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the ...
1 year ago Attack.mitre.org APT41 Earth Lusca Winnti Group
NJRat Campaign Unleashes Cyber Attack from Earth Bogle – The Hacker News - In a recent cyber attack, a well-known malware named NJRat is being unleashed from the Earth Bogle campaign, as reported by The Hacker News. An NJRat is a malicious code that can be used to gain system infiltration and access to web servers. It is ...
2 years ago Thehackernews.com
Hackers push USB malware payloads via news, media hosting sites - A financially motivated threat actor using USB devices for initial infection has been found abusing legitimate online platforms, including GitHub, Vimeo, and Ars Technica, to host encoded payloads embedded in seemingly benign content. The attackers ...
1 year ago Bleepingcomputer.com
Investigating Common Patterns in Vietnam from the Perspective of Earth Zhulong - In 2020, a hacking group known as Earth Zhulong began targeting telecom, technology, and media sectors in Vietnam. After a long-term investigation, we believe that this group is likely related to the Chinese-linked hacking group 1937CN due to similar ...
2 years ago Trendmicro.com
New Microsoft Incident Response guides help security teams analyze suspicious activity - Today Microsoft Incident Response are proud to introduce two one-page guides to help security teams investigate suspicious activity in Microsoft 365 and Microsoft Entra. These guides contain the artifacts that Microsoft Incident Response hunts for ...
1 year ago Microsoft.com
What's new in the MSRC Report Abuse Portal and API - The Microsoft Security Response Center has always been at the forefront of addressing cyber threats, privacy issues, and abuse arising from Microsoft Online Services. Building on our commitment, we have introduced several key updates to the Report ...
8 months ago Msrc.microsoft.com
How to manage a migration to Microsoft Entra ID - Microsoft Entra ID, formerly Azure Active Directory, is not a direct replacement for on-premises Active Directory due to feature gaps and alternative ways to perform similar identity and access management tasks. For some organizations, a move to ...
1 year ago Techtarget.com
CVE-2021-35500 - The Data Virtualization Server component of TIBCO Software Inc.'s TIBCO Data Virtualization, TIBCO Data Virtualization, TIBCO Data Virtualization, and TIBCO Data Virtualization for AWS Marketplace contains a difficult to exploit vulnerability ...
3 years ago
Data thieves abuse Microsoft's 'verified publisher' status The Register - Miscreants using malicious OAuth applications abused Microsoft's "Verified publisher" status to gain access to organizations' cloud environments, then steal data and pry into to users' mailboxes, calendars, and meetings. According to researchers with ...
2 years ago Packetstormsecurity.com Lazarus Group
Financially motivated threat actors misusing App Installer - Since mid-November 2023, Microsoft Threat Intelligence has observed threat actors, including financially motivated actors like Storm-0569, Storm-1113, Sangria Tempest, and Storm-1674, utilizing the ms-appinstaller URI scheme to distribute malware. In ...
1 year ago Microsoft.com Black Basta
Microsoft says malvertising campaign impacted 1 million PCs - The malvertising videos redirected users to the GitHub repos that infected them with malware designed to perform system discovery, collect detailed system info (e.g., memory size, graphic details, screen resolution, operating system (OS), and user ...
1 week ago Bleepingcomputer.com
Microsoft reveals how hackers breached its Exchange Online accounts - Microsoft confirmed that the Russian Foreign Intelligence Service hacking group, which hacked into its executives' email accounts in November 2023, also breached other organizations as part of this malicious campaign. On January 12, 2024, Microsoft ...
1 year ago Bleepingcomputer.com APT29
Microsoft deprecates Defender Application Guard for Office - Microsoft is deprecating Defender Application Guard for Office and the Windows Security Isolation APIs, and it recommends Defender for Endpoint attack surface reduction rules, Protected View, and Windows Defender Application Control as an ...
1 year ago Bleepingcomputer.com
New Malware Uses Fileless Technique to Deploy Ransomware - The group behind the Windows Gootloader malware, known as UNC2565, has effectively modified the code to make it more intrusive and difficult to detect. Researchers at Mandiant noted UNC2565 started making significant adjustments to its operational ...
2 years ago Cybersecuritynews.com
Microsoft March 2025 Patch Tuesday fixes 7 zero-days, 57 flaws - Microsoft says that this remote code execution vulnerability is caused by an integer overflow or wraparound in Windows Fast FAT Driver that, when exploited, allows an attacker to execute code. Microsoft says that this remote code execution ...
5 days ago Bleepingcomputer.com
How to secure on-prem apps with Entra Application Proxy - If your internal web applications are still internet-facing, then it's time to move away from turning your firewall into Swiss cheese just to externalize apps for your users. To reduce the attack surface, a traditional method, such as a VPN, has its ...
1 year ago Techtarget.com
Nearly 7K WordPress Sites Compromised by Balada Injector - About 6,700 WordPress websites have been infected with the Balada Injector malware, after using a Popup Builder plug-in with a cross-site scripting vulnerability tracked as CVE-2023-6000. The Balada Injector campaign is long-running and is an ...
1 year ago Darkreading.com CVE-2023-6000

Latest Cyber News


Cyber Trends (last 7 days)