Mustang Panda and PlugX: A Deep Dive into Phishing-Led Loader Operations

SOC Prime Team

Mustang Panda and PlugX: A Deep Dive into Phishing-Led Loader Operations

Detection stack

AIDR
Alert
ETL
Query

Threat Report
Attack Flow
Detections
Simulations

Summary

The report describes a multi-stage intrusion attributed to the China-nexus Mustang Panda group. The chain begins with a weaponized Windows shortcut (LNK) that launches a PowerShell loader. That loader drops a decoy ZIP, extracts an encrypted DLL, and ultimately deploys the PlugX remote access trojan using reflective loading and thread-pool injection. Command-and-control traffic is sent over HTTPS to infrastructure associated with coastallasercompany.com. The implant also implements evasive tradecraft such as API hashing, PEB walking, and heavy string obfuscation to reduce static detection.

Investigation

Analysts rebuilt the execution path end to end: initial LNK activation, PowerShell staging, DLL side-loading, in-memory decryption, and final PlugX runtime. The tooling uses DJB2-like API hashing and ROL-13 hashing for import resolution, plus an RC4-encrypted configuration blob. Persistence was observed through modification of the HKCU Run registry key. The investigation extracted detection-ready indicators including filenames, hashes, and the C2 domain used for HTTPS beaconing.

Mitigation

Block or quarantine untrusted .lnk files and constrain PowerShell execution, especially scripts that read or write from user-writable locations. Monitor for suspicious file creation under %LocalAppData%, particularly randomly generated GUID-like names, and harden DLL search-order behavior to reduce side-loading opportunities. Apply DNS/proxy controls to deny access to the identified C2 domain, and use TLS inspection where appropriate to surface anomalous HTTPS beacon patterns.

Response

If suspected activity is detected, isolate the host, capture volatile memory, and preserve the encrypted configuration for deeper analysis. Sweep the environment for the extracted IOCs, remove dropped artifacts, and delete the malicious HKCU Run persistence entry. Rotate credentials at scope and hunt for signs of lateral movement consistent with PlugX operator tradecraft.

"graph TB %% Class definitions classDef technique fill:#ffcc99 classDef artifact fill:#ccffcc classDef process fill:#ccccff classDef registry fill:#ffe599 %% Initial Access initial_zip["Artifact – Malicious ZIP archive containing .lnk"] class initial_zip artifact lnk_shortcut["Artifact – Shortcut (.lnk) with hidden icon"] class lnk_shortcut artifact tech_lnk_smack["Technique – T1027.012 LNK Icon Smuggling Description: Use LNK icon to hide malicious payload"] class tech_lnk_smack technique tech_user_exec["Technique – T1204.002 User Execution: Malicious File Description: Victim opens malicious file"] class tech_user_exec technique %% Execution psh_stage["Process – PowerShell stage executed by .lnk"] class psh_stage process tech_psh["Technique – T1059.001 PowerShell Description: Command and scripting interpreter"] class tech_psh technique tech_archive_custom["Technique – T1560.003 Archive via Custom Method Description: Reads ZIP as raw bytes"] class tech_archive_custom technique extracted_exe["Artifact – Extracted legitimateu2011looking executable"] class extracted_exe artifact malicious_dll["Artifact – Eraser.dll (malicious)"] class malicious_dll artifact encrypted_dat["Artifact – Encrypted .dat payload"] class encrypted_dat artifact %% Persistence run_key["Registry – HKCU\Software\Microsoft\Windows\CurrentVersion\Run entry"] class run_key registry tech_run_key["Technique – T1037.001 Logon Script (Boot or Logon Initialization Scripts) Description: Run key persistence"] class tech_run_key technique shortcut_mod["Technique – T1547.009 Shortcut Modification Description: Modifies shortcuts for autostart"] class shortcut_mod technique active_setup["Technique – T1547.014 Active Setup Description: Registry entry for autostart via Active Setup"] class active_setup technique psh_profile["Technique – T1546.013 PowerShell Profile Description: Hooks PowerShell profile for execution"] class psh_profile technique %% Defense Evasion tech_compress["Technique – T1027.015 Compression Description: Compresses payload within ZIP"] class tech_compress technique tech_dynamic_api["Technique – T1027.007 Dynamic API Resolution Description: Resolves APIs at runtime using hash"] class tech_dynamic_api technique tech_embedded["Technique – T1027.009 Embedded Payloads Description: Embeds encrypted payloads"] class tech_embedded technique tech_deobfuscate["Technique – T1140 Deobfuscate/Decode Files or Information Description: RC4/XOR decryption at runtime"] class tech_deobfuscate technique tech_masquerade["Technique – T1036.008 Masquerading: Masquerade File Type Description: Decoy PDF overlay"] class tech_masquerade technique %% Privilege Escalation / Execution tech_reflective["Technique – T1620 Reflective Code Loading Description: Loads DLL in memory without touching disk"] class tech_reflective technique tech_injection["Technique – T1055.001 Process Injection: DLL Injection Description: Injects DLL via PEB walking and threadu2011pool callbacks"] class tech_injection technique %% Command and Control c2_https["Process – HTTPS C2 communication (port 443)"] class c2_https process tech_nonstd_port["Technique – T1571 Nonu2011Standard Port Description: Uses common port to blend traffic"] class tech_nonstd_port technique tech_dead_drop["Technique – T1102.001 Dead Drop Resolver Description: Retrieves server address from web service"] class tech_dead_drop technique tech_proxy["Technique – T1090.002 Proxy: External Proxy Description: Routes traffic through external proxy"] class tech_proxy technique %% Connections initial_zip –>|contains| lnk_shortcut lnk_shortcut –>|uses| tech_lnk_smack lnk_shortcut –>|triggers| tech_user_exec tech_user_exec –>|leads to| psh_stage psh_stage –>|executes| tech_psh psh_stage –>|reads| tech_archive_custom tech_archive_custom –>|extracts| extracted_exe tech_archive_custom –>|extracts| malicious_dll tech_archive_custom –>|extracts| encrypted_dat psh_stage –>|writes| run_key run_key –>|implements| tech_run_key psh_stage –>|creates| shortcut_mod psh_stage –>|creates| active_setup psh_stage –>|hooks| psh_profile psh_stage –>|applies| tech_compress psh_stage –>|applies| tech_dynamic_api psh_stage –>|applies| tech_embedded psh_stage –>|applies| tech_deobfuscate psh_stage –>|applies| tech_masquerade malicious_dll –>|acts as| tech_reflective malicious_dll –>|performs| tech_injection tech_injection –>|enables| c2_https c2_https –>|uses| tech_nonstd_port c2_https –>|uses| tech_dead_drop c2_https –>|may route through| tech_proxy %% Class assignments class initial_zip,lnk_shortcut,extracted_exe,malicious_dll,encrypted_dat artifact class psh_stage,c2_https process class run_key registry class tech_lnk_smack,tech_user_exec,tech_psh,tech_archive_custom,tech_run_key,shortcut_mod,active_setup,psh_profile,tech_compress,tech_dynamic_api,tech_embedded,tech_deobfuscate,tech_masquerade,tech_reflective,tech_injection,tech_nonstd_port,tech_dead_drop,tech_proxy technique "

Attack Flow

Attack Narrative & Commands:
An attacker has gained a foothold on a compromised workstation and wants to stage malicious payloads while remaining invisible to the user. They launch PowerShell in hidden mode (-w hidden) to avoid UI pop‑ups. Within the same PowerShell session they use the built‑in tar utility (available on modern Windows builds) to extract a decoy archive that contains the next stage payloads directly into %LocalAppData%, a writable location that is often overlooked by defenses.

Steps:
1. Create a small tar archive (payloads.tar) containing a benign dummy file (simulating the malicious payload).
2. Store the archive in a temporary location (C:Temp).
3. Execute PowerShell hidden window that runs the tar extraction command targeting %LocalAppData%.

Regression Test Script:

# ---------------------------------------------------------
# Step 1 – Prepare a sample tar archive (simulates payloads)
# ---------------------------------------------------------
$tempDir   = "C:Temp"
$archive   = "$tempDirpayloads.tar"
$payload   = "$tempDirdummy.txt"
$destDir   = "$Env:LocalAppDataStagedPayloads"

# Ensure temp folder exists
New-Item -ItemType Directory -Path $tempDir -Force | Out-Null

# Create a dummy file to archive
"This is a dummy payload file." | Set-Content -Path $payload -Encoding UTF8

# Create the tar archive (requires Windows tar)
tar -cf $archive -C $tempDir dummy.txt

# ---------------------------------------------------------
# Step 2 – Execute hidden PowerShell that extracts the archive
# ---------------------------------------------------------
$extractCmd = "tar -xvf `"$archive`" -C `"$Env:LocalAppData`""
$psArgs     = "-NoProfile -WindowStyle Hidden -Command `$extractCmd"

Start-Process -FilePath "powershell.exe" -ArgumentList $psArgs -WindowStyle Hidden

# ---------------------------------------------------------
# Step 3 – Optional: Verify extraction (for manual validation)
# ---------------------------------------------------------
Write-Host "Extraction complete. Files should now exist in $Env:LocalAppData"

Cleanup Commands:

# Remove temporary files and staged payloads
Remove-Item -Path "C:Temppayloads.tar" -Force -ErrorAction SilentlyContinue
Remove-Item -Path "C:Tempdummy.txt"   -Force -ErrorAction SilentlyContinue
Remove-Item -Path "$Env:LocalAppDatadummy.txt" -Force -ErrorAction SilentlyContinue
# Optionally remove the entire staging folder if created
Remove-Item -Path "$Env:LocalAppDataStagedPayloads" -Recurse -Force -ErrorAction SilentlyContinue

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free