{ "id": "22e42462-3d9a-46b7-86e8-831b9eb3dc00", "created_at": "2026-04-06T00:20:16.232597Z", "updated_at": "2026-04-10T03:36:33.671426Z", "deleted_at": null, "sha1_hash": "8e6669c0b3a18b1ce1a9891e9d18924a1a69e84f", "title": "Earth Preta Mixes Legitimate and Malicious Components to Sidestep Detection", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1046866, "plain_text": "Earth Preta Mixes Legitimate and Malicious Components to\r\nSidestep Detection\r\nBy By: Nathaniel Morales, Nick Dai Feb 18, 2025 Read time: 5 min (1419 words)\r\nPublished: 2025-02-18 · Archived: 2026-04-05 12:44:38 UTC\r\nCyber Threats\r\nOur Threat Hunting team discusses Earth Preta’s latest technique, in which the APT group leverages MAVInject\r\nand Setup Factory to deploy payloads, and maintain control over compromised systems.\r\nNote: We have made some revisions to this post to clarify the behavior of this threat.\r\nSummary\r\nResearchers from Trend Micro’s Threat Hunting team discovered that Earth Preta, also known as Mustang\r\nPanda, uses the Microsoft Application Virtualization Injector to inject payloads into waitfor.exe whenever\r\nan ESET antivirus application is detected.\r\nThey utilize Setup Factory to drop and execute the payloads for persistence and to avoid detection.\r\nThe attack involves dropping multiple files, including legitimate executables and malicious components,\r\nand deploying a decoy PDF to distract the victim.\r\nEarth Preta's malware, a variant of the TONESHELL backdoor, is sideloaded with a legitimate Electronic\r\nArts application and communicates with a command-and-control server for data exfiltration.\r\nTrend Micro’s Threat Hunting team has come acrossopen on a new tab a new technique employed by Earth\r\nPretaopen on a new tab, also known as Mustang Panda. Earth Preta's attacks have been known to focus on the\r\nAsia-Pacific region: More recently, one campaign used a variant of the DOPLUGS malwareopen on a new tab to\r\ntarget Taiwan, Vietnam, Malaysia, among other countries. The group, which favors phishing in their campaigns\r\nand tends to target government entities,open on a new tab has had over 200 victimsopen on a new tab since 2022.\r\nThis advanced persistent threat (APT) group has been observed leveraging a Windows utility that’s able to inject\r\ncode into external processes called the Microsoft Application Virtualization Injector (MAVInject.exe). This injects\r\nEarth Preta’s payload into a Windows utility that’s used to sending or waiting for signals between networked\r\ncomputers., waitfor.exe, when an ESET antivirus application is detected running. Additionally, Earth Preta utilizes\r\nSetup Factory, an installer builder for Windows software, to drop and execute the payload; this enables them to\r\nevade detection and maintain persistence in compromised systems.\r\nDetailed analysis\r\nIn Earth Preta’s attack chain, the first malicious file, IRSetup.exe, is used to drop multiple files into the\r\nProgramData/session directory (Figure 1). These files include a combination of legitimate executables and\r\nhttps://www.trendmicro.com/en_us/research/25/b/earth-preta-mixes-legitimate-and-malicious-components-to-sidestep-detection.html\r\nPage 1 of 11\n\nmalicious components (Figure 2). \r\nFigure 1. Earth Preta’s kill chain\r\nFigure 2. Files dropped by IRSetup.exe\r\nA decoy PDF designed to target Thailand-based users is also executed, likely to distract the victim while the\r\nmalicious payload is deployed in the background (Figure 3). The fraudulent document asks for the reader’s\r\ncooperation in creating a whitelist of phone numbers to aid in the development of an anti-crime platform,\r\nallegedly a project supported by multiple government agencies.\r\nThis technique aligns with Earth Preta’s previous campaigns, in which they used spear-phishing emails to target\r\nvictims and executed a decoy PDF to divert attention while the malicious payload was deployed in the\r\nbackground. \r\nhttps://www.trendmicro.com/en_us/research/25/b/earth-preta-mixes-legitimate-and-malicious-components-to-sidestep-detection.html\r\nPage 2 of 11\n\nFigure 3. Decoy PDF (left) and translated text (right)\r\nThe dropper malware then executes OriginLegacyCLI.exe, a legitimate Electronic Arts (EA) application, to\r\nsideload EACore.dll, a modified variant of the TONESHELL backdoor used by Earth Preta, shown in Figure 4.\r\nFigure 4. Loading the malicious DLL\r\nTONESHELL backdoor – EACore.dll\r\nEACore.dll contains multiple export functions, as shown below in Figure 5, but all of them point to the same\r\nmalicious function. \r\nhttps://www.trendmicro.com/en_us/research/25/b/earth-preta-mixes-legitimate-and-malicious-components-to-sidestep-detection.html\r\nPage 3 of 11\n\nFigure 5. Export functions of EACore.dll\r\nOne of the functions checks if either ekrn.exe or egui.exe, both associated with ESET antivirus applications, are\r\nrunning on the machine (Figure 6). If either process is detected, the malware registers EACore.dll using\r\nregsvr32.exe to execute the DLLRegisterServer function (Figure 7).\r\nhttps://www.trendmicro.com/en_us/research/25/b/earth-preta-mixes-legitimate-and-malicious-components-to-sidestep-detection.html\r\nPage 4 of 11\n\nFigure 6. Checking of ESET process\r\nFigure 7. Running via regsvr32.exe\r\nThe DLLRegisterServer export will then execute waitfor.exe. MAVInject.exe, which is capable of proxy execution\r\nof malicious code by injecting to a running process, is then used to inject the malicious code into it (Figure 8) via\r\nthe following command:\r\nMavinject.exe \u003cTarget PID\u003e /INJECTRUNNING \u003cMalicious DLL\u003e\r\nIt is possible that Earth Preta used MAVInject.exe after testing the execution of their attack on machines that used\r\nESET software.\r\nhttps://www.trendmicro.com/en_us/research/25/b/earth-preta-mixes-legitimate-and-malicious-components-to-sidestep-detection.html\r\nPage 5 of 11\n\nFigure 8. Function used to inject malicious code to waitfor.exe\r\nException handler\r\nThe malware also implements an exception handler (Figure 9) that activates when ESET applications are not\r\nfound, allowing it to proceed with its payload. Instead of injecting the malicious code via MAVInject.exe, it\r\ndirectly injects its code into waitfor.exe using WriteProcessMemory and CreateRemoteThreadEx APIs (Figure\r\n10).\r\nFigure 9. Setting up the structured exception handler\r\nhttps://www.trendmicro.com/en_us/research/25/b/earth-preta-mixes-legitimate-and-malicious-components-to-sidestep-detection.html\r\nPage 6 of 11\n\nFigure 10. Code injection function (top) and injected code in waitfor.exe (bottom)\r\nC\u0026C communication\r\nThe malware decrypts the shellcode stored in the .data section (Figure 11), where it will contain the functions to\r\ncommunicate with its C\u0026C server, www[.]militarytc[.]com:443 (Figure 12).\r\nhttps://www.trendmicro.com/en_us/research/25/b/earth-preta-mixes-legitimate-and-malicious-components-to-sidestep-detection.html\r\nPage 7 of 11\n\nFigure 11. Function containing the decryption of shellcode\r\nhttps://www.trendmicro.com/en_us/research/25/b/earth-preta-mixes-legitimate-and-malicious-components-to-sidestep-detection.html\r\nPage 8 of 11\n\nFigure 12. Function to communicate with C\u0026C server\r\nThe malware communicates with the command-and-control (C\u0026C) server through the ws2_32.send API call. It\r\ngenerates a random identifier, gathers the computer name, and sends this information to the C\u0026C server. The C\u0026C\r\nprotocol is similar to that of its previous variant, as outlined in our past research. However, this variant involves\r\nsome minor changes. For example, the generated victim ID is now stored to current_directory\\CompressShaders\r\nfor persistence. Also, the handshake packet is slightly different, as shown in Table 1.\r\nOffset Size Name Description\r\n0x0 0x3 magic 17 03 03\r\n0x3 0x2 size The payload size\r\n0x5 0x100 key The payload encryption key\r\n0x105 0x10 victim_id The unique victim ID (generated by CoCreateGuid)\r\n0x115 0x1 reserved  \r\n0x116 0x4 hostname_length The length of the hostname\r\n0x11A hostname_length   hostname The hostname\r\nTable 1. Contents of the sent data\r\nhttps://www.trendmicro.com/en_us/research/25/b/earth-preta-mixes-legitimate-and-malicious-components-to-sidestep-detection.html\r\nPage 9 of 11\n\nThe command codes are also slightly different. In this variant, all of the debug strings are removed. It supports\r\ncommand codes 4 through 19 and has the following capabilities:\r\nReverse shell\r\nDelete file\r\nMove file\r\nFigure 13. Information sent to C\u0026C server\r\nAttribution to Earth Preta\r\nFor attribution, we believe this variant is more likely associated with Earth Preta. It was distributed using similar\r\nTTPs (spear-phishing) and works like the earlier variant mentioned in our previous entry on Earth Pretaopen on a\r\nnew tab. It employs CoCreateGuid to generate a unique victim ID, which is stored in a standalone file — a\r\nbehavior not observed in earlier variants. Additionally, the same C\u0026C server was linked to another sampleopen on\r\na new tab attributed to Earth Preta, and the shared CyberChefopen on a new tab formula still successfully decrypts\r\nthe packet being sent. Based on these factors, we attribute this variant to Earth Preta with medium confidence.\r\nTrend Vision One\r\nTrend Vision Oneopen on a new tab™one-platform is a cybersecurity platform that simplifies security and helps\r\nenterprises detect and stop threats faster by consolidating multiple security capabilities, enabling greater command\r\nof the enterprise’s attack surface, and providing complete visibility into its cyber risk posture. The cloud-based\r\nplatform leverages AI and threat intelligence from 250 million sensors and 16 threat research centers around the\r\nglobe to provide comprehensive risk insights, earlier threat detection, and automated risk and threat response\r\noptions in a single solution.\r\nTrend Vision One Threat Intelligence\r\nTo stay ahead of evolving threats, Trend Vision One open on a new tabcustomers can access a range of\r\nIntelligence Reports and Threat Insights within Vision One. Threat Insights helps customers stay ahead of cyber\r\nhttps://www.trendmicro.com/en_us/research/25/b/earth-preta-mixes-legitimate-and-malicious-components-to-sidestep-detection.html\r\nPage 10 of 11\n\nthreats before they happen and allows them to prepare for emerging threats by offering comprehensive\r\ninformation on threat actors, their malicious activities, and their techniques. By leveraging this intelligence,\r\ncustomers can take proactive steps to protect their environments, mitigate risks, and effectively respond to threats.\r\nTrend Vision One Intelligence Reports App [IOC Sweeping]\r\nEarth Preta Mixes Legitimate and Malicious Components to Sidestep Detection\r\nTrend Vision One Threat Insights App\r\nThreat Actors: Earth Pretaopen on a new tab\r\nEmerging Threats:  Earth Preta Mixes Legitimate and Malicious Components to Sidestep Detectionopen on\r\na new tab\r\nHunting Queries\r\nTrend Vision One Search App\r\nTrend Vision One customers can use the Search App to match or hunt the malicious indicators mentioned in this\r\nblog post with data in their environment.   \r\nProject Injection to waitfor.exe with hardcoded parameter used by Earth Preta\r\nprocessFilePath:*ProgramData\\\\session\\\\OriginLegacyCLI.exe AND\r\nobjectCmd:*Windows\\\\SysWOW64\\\\waitfor.exe\\\" \\\"Event19030000000\\\" AND tags: \"XSAE.F8404\"\r\nMore hunting queries are available for Vision One customers with Threat Insights Entitlement enabledopen on a\r\nnew tab.\r\nConclusion\r\nThe recent findings of Trend Micro’s Threat Hunting team highlight the sophisticated methods employed by Earth\r\nPreta to compromise systems and evade security measures. By leveraging MAVInject.exe to inject malicious\r\npayloads into waitfor.exe, and using Setup Factory to drop and execute these payloads, Earth Preta effectively\r\nmaintains its persistence on infected systems. Its attack chain demonstrates the group's advanced level of expertise\r\nin developing and refining their evasion techniques, with its use of legitimate applications like Setup Factory and\r\nOriginLegacyCLI.exe further complicating detection efforts. Organizations should be vigilant about enhancing\r\ntheir monitoring capabilities, focusing on identifying unusual activities in legitimate processes and executable\r\nfiles, to stay ahead of the evolving tactics of APT groups like Earth Preta.\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/25/b/earth-preta-mixes-legitimate-and-malicious-components-to-sidestep-detection.html\r\nhttps://www.trendmicro.com/en_us/research/25/b/earth-preta-mixes-legitimate-and-malicious-components-to-sidestep-detection.html\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MITRE" ], "references": [ "https://www.trendmicro.com/en_us/research/25/b/earth-preta-mixes-legitimate-and-malicious-components-to-sidestep-detection.html" ], "report_names": [ "earth-preta-mixes-legitimate-and-malicious-components-to-sidestep-detection.html" ], "threat_actors": [ { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434816, "ts_updated_at": 1775792193, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8e6669c0b3a18b1ce1a9891e9d18924a1a69e84f.pdf", "text": "https://archive.orkl.eu/8e6669c0b3a18b1ce1a9891e9d18924a1a69e84f.txt", "img": "https://archive.orkl.eu/8e6669c0b3a18b1ce1a9891e9d18924a1a69e84f.jpg" } }