The threat actor has been observed utilizing weaponized RAR archives containing malicious DLLs alongside legitimate signed executables to deploy updated variants of ToneShell malware through DLL sideloading techniques. Security researchers have uncovered new malicious activities attributed to Mustang Panda, a China-sponsored espionage group known for targeting government entities, military organizations, and non-governmental organizations primarily in East Asia and Europe. When the victim executes the legitimate application, Windows attempts to load its required DLLs, inadvertently loading the malicious DLL placed alongside the legitimate executable. These archives typically contain a legitimate, signed executable file paired with a malicious DLL file that gets sideloaded when the executable runs. Zscaler ThreatLabz researchers identified three distinct ToneShell variants during their investigation, each utilizing different legitimate executables for DLL sideloading. The infection mechanism relies heavily on DLL sideloading, a technique where Windows loads a malicious DLL in place of a legitimate one by exploiting the system’s DLL search order. This technique effectively bypasses security controls by leveraging the trust established through digitally signed binaries while executing malicious code. The group continues to evolve its toolset, with researchers identifying multiple variants of ToneShell deployed across different targets, each exhibiting subtle modifications to evade detection mechanisms. This approach is particularly effective as it appears to run legitimate software while simultaneously executing malicious code. Newer variants have begun spoofing TLSv1.3 (using header bytes 0x17 0x03 0x04) instead of the previously observed TLSv1.2, demonstrating the threat actor’s continued efforts to evade detection. The malicious DLLs implement sophisticated capabilities, including a custom network protocol using FakeTLS headers to disguise malicious traffic. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis.
This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 17 Apr 2025 07:50:17 +0000