A well-known Chinese state-sponsored threat group called Mustang Panda has been caught running a sophisticated cyberattack campaign using its signature remote access tool, PlugX.
The group used a cleverly disguised fake browser update to trick users into downloading a multi-stage malware loader that quietly installed itself on victim systems and began communicating with a remote command server, all without raising obvious suspicion.
The attack stands out for how carefully each step of the infection is separated from the others. Rather than relying on a single malicious file, the attackers built a tightly linked chain of components that only reveal their full purpose when working together.
This design makes it much harder for security tools to catch the threat by scanning any one file in isolation.
Analysts at BlueCyber identified the malware and published a detailed technical breakdown, noting that the chain began with two suspicious files: Browser_Update.zip and a masqueraded image named iis.jpg, both flagged as malicious by multiple vendors on VirusTotal.
BlueCyber said in a report shared with Cyber Security News (CSN) that the chain is divided into many small layers, with each stage taking on a specific task, helping the malware reduce static detection indicators and slow down analysis.
The attack was designed to look completely normal at a glance. The dropper, Browser_Updater.exe, opened a convincing fake update window styled after Adobe Acrobat, complete with Install and Cancel buttons, and even carried digital signatures from a Chinese company to appear more trustworthy.
Once a user clicked Install, it silently reached out to a remote server and downloaded what looked like a JPEG image but was actually a hidden MSI installer that dropped three files onto the machine.
Mustang Panda Deploys PlugX RAT
The three files dropped were Avk.exe, Avk.dll, and AVKTray.dat. What made this particularly deceptive is that Avk.exe is a legitimate, properly signed binary from G DATA AntiVirus, used as a cover to load the malicious DLL through a technique called DLL sideloading.
Execution Chain (Source – BlueCyber)
Since the executable carries a valid vendor signature, it raises far fewer security alarms on its own.
Avk.dll served as an intermediate loader, using a runtime hashing technique to resolve Windows APIs without exposing them through static analysis.
It read the encrypted payload inside AVKTray.dat, granted it execute permissions in memory, then triggered execution through a Windows threadpool callback, a method that hides the true origin of execution from security monitoring tools.
The payload inside AVKTray.dat passed through multiple decryption layers, including XOR followed by RC4 decryption using the key VOphJo, before being manually mapped into memory without touching the disk as a normal executable.
Reading the payload and granting RWX permission (Source – BlueCyber)
After loading, it installed itself into %PUBLIC%\GData and wrote a persistence entry to the Windows Run registry key, ensuring it restarts every time the user logs in.
C2 Communication and Command Capabilities
Once installed, the payload connected to its command-and-control server at fruitbrat[.]com over port 443, using HTTPS to blend in with normal web traffic.
It crafted its requests to mimic Microsoft Edge browser activity, making detection at the network level even harder. It also stored a unique client ID in the registry to identify the infected machine to the remote server.
The command capabilities of this implant were extensive. It could download and execute files from the C2, launch processes and capture their output, upload and download file chunks by session, enumerate and delete files, and kill diagnostic tools like iediagcmd.exe to prevent an admin from spotting unusual activity.
Patch SetUnhandledExceptionFilter (Source – BlueCyber)
Plugin loader stubs in the code also allowed the attackers to push additional capabilities to infected machines whenever needed.
Security analysts recommend watching for Avk.exe, Avk.dll, and AVKTray.dat appearing together in directories like %PUBLIC%\GData or %LOCALAPPDATA%\pZhozR, and for Run key entries pointing to Avk.exe with trailing numeric arguments.
BlueCyber stresses that tracking the full behavior chain, rather than relying only on individual IOC values, is the most reliable long-term defense against this and future PlugX variants.
Indicators of Compromise (IoCs):-
TypeIndicatorDescriptionSHA-25679af67ed343bc45b6a19e4836ebb83f1130243ff98f48465f9a7a807ba4bfa91iis.jpg (masqueraded MSI payload)SHA-256106f46375d8497d353c22c98f72ab15a9bb87beba4585d5a492fd11edc288b0bBrowser_Update.zip (initial dropper archive)SHA-2568421e7995778faf1f2a902fb2c51d85ae39481f443b7b3186068d5c33c472d99Avk.exe (legitimate G DATA binary used for sideloading)SHA-2564cd81d26289c4d8383a0ffa34397f0b03941554eac04f1b420269b831accAvk.dll (malicious intermediate loader)SHA-256d4bc21e12360af2f2cb55872a90b62805150d498c452b2b1c6a05a806cbbAVKTray.dat (encrypted payload container)SHA-256b52c484a3cc383dd3b4dc79c207946b603a810edf74bff76dca7ad29d4definal_payload.bin (manually mapped PlugX implant)IP Address45[.]251[.]243[.]210Payload delivery server (iis.jpg served over HTTP)Domainfruitbrat[.]com:443Primary C2 server (WinHTTP HTTPS communication)Domaindalerocks[.]com:443C2 for Vietnam-targeting variant (May 2026)File Path%LOCALAPPDATA%\pZhozR\Initial staging directory for three-file setFile Path%PUBLIC%\GData\Persistent installation directoryRegistry KeyHKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\G DataPersistence Run key (value: Avk.exe with filler args)Registry KeyHKCU\Software\Classes\ms-pu\CLSIDUnique client/install ID storageMutexaumhYjQIQMutex created to prevent duplicate controller instancesFile NameBrowser_Updater.exeInitial dropper disguised as browser updateRC4 KeyVOphJoRuntime config decryption keyFile MarkerarpExtension marker used by plugin loader stubs
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post Mustang Panda Deploys PlugX RAT Through Multi-Stage LNK and PowerShell Attack Chain appeared first on Cyber Security News.
