{ "id": "ccb1d64e-8889-4b10-9e1a-a3d0c8ea000b", "created_at": "2026-04-06T00:11:36.275148Z", "updated_at": "2026-04-10T13:12:50.963371Z", "deleted_at": null, "sha1_hash": "8237747eb96c9e5e85032aef65037b335ecb8ae1", "title": "Mustang Panda Recent Activity: Dll-Sideloading trojans with temporal C2 servers", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 177827, "plain_text": "Mustang Panda Recent Activity: Dll-Sideloading trojans with\r\ntemporal C2 servers\r\nPublished: 2020-06-02 · Archived: 2026-04-05 18:50:37 UTC\r\nRecently, from Lab52 we have detected a recent malware sample, using the Dll-Sideload technique with a\r\nlegitimate binary, to load a threat.\r\nThis particular sample has a very small DLL, that loads an encrypted file, which after being decrypted consists of\r\na sample of the PlugX Trojan. This technique, and final threat together, consists of one of the most common TTPs\r\namong some APT groups generally of Chinese origin such as APT1, APT27 and Mustang Panda.\r\nThe sample in question is downloaded from the following link\r\n“http://miandfish.]store/player/install_flash_player.exe” and although in previous months, it had another hash,\r\ncurrently the sample hosted under that name has the following hash\r\n“c56ac01b3af452fedc0447d9e0fe184d093d3fd3c6631aa8182c752463de570c”.\r\nThe binary consists of an installer, which drops in the folder “C:\\ProgramData\\AAM Updatesnnk” the legitimate\r\nbinary vulnerable to dll sideload, the small dll that acts as a loader for the final threat, and the binary file, which\r\nconsists of the encrypted PlugX sample.\r\nAfter deploying the three files, the installer runs the legitimate binary, causing the final PlugX threat to be loaded\r\nby it.\r\nhttps://lab52.io/blog/mustang-panda-recent-activity-dll-sideloading-trojans-with-temporal-c2-servers/\r\nPage 1 of 5\n\nIn this case, the legitimate vulnerable binary is part of Adobe’s Swite which will load any library named “hex.dll”\r\nthat is next to the executable.\r\nThat hex.dll, in this case is a very simple and relatively small loader:\r\nhttps://lab52.io/blog/mustang-panda-recent-activity-dll-sideloading-trojans-with-temporal-c2-servers/\r\nPage 2 of 5\n\nIt has 4 exports that return 0 without doing anything, the Main function of the library, on the other hand, calls a\r\nfunction that checks the existence of the .dat file which is hardcoded (adobeupdate.dat in this case), loads it,\r\nextracts the first string of the binary and uses it as XOR key to decode the rest of the file, which consists on the\r\nfinal threat.\r\nThe following code in python imitates the logic of decoding:\r\nhttps://lab52.io/blog/mustang-panda-recent-activity-dll-sideloading-trojans-with-temporal-c2-servers/\r\nPage 3 of 5\n\nWhen it finishes deciphering it, it loads the malware into memory, makes a “Memprotect” to make it executable\r\nand launches its logic from the byte 0 of the binary.\r\nIt is a functional PE, so this should not work, since it starts with the “MZ” header of a normal binary:\r\nBut in this case it uses a technique already seen before in tools like the Cobalt Strike Beacon that by modifying\r\nsome bytes of the MZ header, it becomes meaningful executable code.\r\nIf we open the binary as a shellcode (de-compiling from byte 0) we see how they have modified the first bytes into\r\na routine that jumps to a code zone, consisting of a PE loader:\r\nAfter loading the IAT and leaving everything ready as a normal executable, this threat decrypts its own config,\r\nwhich is encrypted in XOR in the .data section of the binary. This time the decryption key is hardcoded in the\r\nbinary, and is the string “123456789”.\r\nAfter decrypting its configuration, it contains the folder where the binary must be installed, a XOR key that will\r\nuse to encrypt it’s traffic and a list of up to 4 domains or IP addresses of command and control servers together\r\nwith the port to be used. Generally the 4 C2 elements consists of the same domain repeated 4 times or 2 domains\r\nrepeated twice each.\r\nAfter the analysis, both the loader in DLL format and the final encrypted threat (after decryption) have been\r\ncompared with different campaign samples of groups known to use this dll sideload technique, and it has been\r\npossible to verify how both the loader and the final threat coincide in a high percentage with the samples of the\r\n“Mustang Panda” group analyzed in the following reports [1] [2] [3]. In fact, the loader of this campaign is able to\r\nload and run the samples of the campaigns analyzed in those reports, and the final threat uses exactly the same\r\nXOR key to decipher its configuration as the samples in those reports, so there is a high probability that it is a new\r\ncampaign from this same group.\r\nThis particular sample has the domains “www.destroy2013.]com” and “www.fitehook.]com” as c2 servers, and we\r\nhave seen that they have a very characteristic behavior, since most of the day they resolve to 127.0.0.1, but from\r\nhttps://lab52.io/blog/mustang-panda-recent-activity-dll-sideloading-trojans-with-temporal-c2-servers/\r\nPage 4 of 5\n\n1-3 AM (UTC) to 8-9 AM (UTC) it resolves to the IP “107.150.112.]250, except for weekends that it resolves\r\nconstantly to 127.0.0.1, which could indicate that it is a campaign that is focused on a time zone in which those\r\nhours are working hours.\r\nIP 81.16.28.]30\r\nIP 107.150.112.]250\r\nDOMAIN www.destroy2013.]com\r\nDOMAIN www.fitehook.]com\r\nDOMAIN miandfish.]store\r\nSHA256 c56ac01b3af452fedc0447d9e0fe184d093d3fd3c6631aa8182c752463de570c\r\nSHA256 9c0f6f54e5ab9a86955f1a4beffd6f57c553e34b548a9d93f4207e6a7a6c8135\r\nSource: https://lab52.io/blog/mustang-panda-recent-activity-dll-sideloading-trojans-with-temporal-c2-servers/\r\nhttps://lab52.io/blog/mustang-panda-recent-activity-dll-sideloading-trojans-with-temporal-c2-servers/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://lab52.io/blog/mustang-panda-recent-activity-dll-sideloading-trojans-with-temporal-c2-servers/" ], "report_names": [ "mustang-panda-recent-activity-dll-sideloading-trojans-with-temporal-c2-servers" ], "threat_actors": [ { "id": "dabb6779-f72e-40ca-90b7-1810ef08654d", "created_at": "2022-10-25T15:50:23.463113Z", "updated_at": "2026-04-10T02:00:05.369301Z", "deleted_at": null, "main_name": "APT1", "aliases": [ "APT1", "Comment Crew", "Comment Group", "Comment Panda" ], "source_name": "MITRE:APT1", "tools": [ "Seasalt", "ipconfig", "Cachedump", "PsExec", "GLOOXMAIL", "Lslsass", "PoisonIvy", "WEBC2", "Mimikatz", "gsecdump", "Pass-The-Hash Toolkit", "Tasklist", "xCmd", "pwdump" ], "source_id": "MITRE", "reports": null }, { "id": "cf7fc640-acfe-41c4-9f3d-5515d53a3ffb", "created_at": "2023-01-06T13:46:38.228042Z", "updated_at": "2026-04-10T02:00:02.883048Z", "deleted_at": null, "main_name": "APT1", "aliases": [ "PLA Unit 61398", "Comment Crew", "Byzantine Candor", "Comment Group", "GIF89a", "Group 3", "TG-8223", "Brown Fox", "ShadyRAT", "G0006", "COMMENT PANDA" ], "source_name": "MISPGALAXY:APT1", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3492534-85a6-4c87-a754-5ae4a56d7c8c", "created_at": "2022-10-25T15:50:23.819113Z", "updated_at": "2026-04-10T02:00:05.354598Z", "deleted_at": null, "main_name": "Threat Group-3390", "aliases": [ "Threat Group-3390", "Earth Smilodon", "TG-3390", "Emissary Panda", "BRONZE UNION", "APT27", "Iron Tiger", "LuckyMouse", "Linen Typhoon" ], "source_name": "MITRE:Threat Group-3390", "tools": [ "Systeminfo", "gsecdump", "PlugX", "ASPXSpy", "Cobalt Strike", "Mimikatz", "Impacket", "gh0st RAT", "certutil", "China Chopper", "HTTPBrowser", "Tasklist", "netstat", "SysUpdate", "HyperBro", "ZxShell", "RCSession", "ipconfig", "Clambling", "pwdump", "NBTscan", "Pandora", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "c63ab035-f9f2-4723-959b-97a7b98b5942", "created_at": "2023-01-06T13:46:38.298354Z", "updated_at": "2026-04-10T02:00:02.917311Z", "deleted_at": null, "main_name": "APT27", "aliases": [ "BRONZE UNION", "Circle Typhoon", "Linen Typhoon", "TEMP.Hippo", "Budworm", "Lucky Mouse", "G0027", "GreedyTaotie", "Red Phoenix", "Iron Tiger", "Iron Taurus", "Earth Smilodon", "TG-3390", "EMISSARY PANDA", "Group 35", "ZipToken" ], "source_name": "MISPGALAXY:APT27", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b399b5f1-42d3-4b53-8c73-d448fce6ab43", "created_at": "2025-08-07T02:03:24.68371Z", "updated_at": "2026-04-10T02:00:03.64323Z", "deleted_at": null, "main_name": "BRONZE UNION", "aliases": [ "APT27 ", "Bowser", "Budworm ", "Circle Typhoon ", "Emissary Panda ", "Group35", "Iron Tiger ", "Linen Typhoon ", "Lucky Mouse ", "TG-3390 ", "Temp.Hippo " ], "source_name": "Secureworks:BRONZE UNION", "tools": [ "AbcShell", "China Chopper", "EAGERBEE", "Gh0st RAT", "OwaAuth", "PhantomNet", "PoisonIvy", "Sysupdate", "Wonknu", "Wrapikatz", "ZxShell", "reGeorg" ], "source_id": "Secureworks", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434296, "ts_updated_at": 1775826770, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8237747eb96c9e5e85032aef65037b335ecb8ae1.pdf", "text": "https://archive.orkl.eu/8237747eb96c9e5e85032aef65037b335ecb8ae1.txt", "img": "https://archive.orkl.eu/8237747eb96c9e5e85032aef65037b335ecb8ae1.jpg" } }