Mustang Panda Deploys PlugX RAT Through Multi-Stage LNK and PowerShell Attack Chain

A well-known Chinese state-sponsored threat group called Mustang Panda has been caught running a sophisticated cyberattack campaign using its signature remote access tool, PlugX.

The group used a cleverly disguised fake browser update to trick users into downloading a multi-stage malware loader that quietly installed itself on victim systems and began communicating with a remote command server, all without raising obvious suspicion.

The attack stands out for how carefully each step of the infection is separated from the others. Rather than relying on a single malicious file, the attackers built a tightly linked chain of components that only reveal their full purpose when working together.

This design makes it much harder for security tools to catch the threat by scanning any one file in isolation.

Analysts at BlueCyber identified the malware and published a detailed technical breakdown, noting that the chain began with two suspicious files: Browser_Update.zip and a masqueraded image named iis.jpg, both flagged as malicious by multiple vendors on VirusTotal. 

BlueCyber said in a report shared with Cyber Security News (CSN) that the chain is divided into many small layers, with each stage taking on a specific task, helping the malware reduce static detection indicators and slow down analysis.

The attack was designed to look completely normal at a glance. The dropper, Browser_Updater.exe, opened a convincing fake update window styled after Adobe Acrobat, complete with Install and Cancel buttons, and even carried digital signatures from a Chinese company to appear more trustworthy.

Once a user clicked Install, it silently reached out to a remote server and downloaded what looked like a JPEG image but was actually a hidden MSI installer that dropped three files onto the machine.

Mustang Panda Deploys PlugX RAT

The three files dropped were Avk.exe, Avk.dll, and AVKTray.dat. What made this particularly deceptive is that Avk.exe is a legitimate, properly signed binary from G DATA AntiVirus, used as a cover to load the malicious DLL through a technique called DLL sideloading.

Since the executable carries a valid vendor signature, it raises far fewer security alarms on its own.

Avk.dll served as an intermediate loader, using a runtime hashing technique to resolve Windows APIs without exposing them through static analysis.

It read the encrypted payload inside AVKTray.dat, granted it execute permissions in memory, then triggered execution through a Windows threadpool callback, a method that hides the true origin of execution from security monitoring tools.

The payload inside AVKTray.dat passed through multiple decryption layers, including XOR followed by RC4 decryption using the key VOphJo, before being manually mapped into memory without touching the disk as a normal executable.

After loading, it installed itself into %PUBLIC%GData and wrote a persistence entry to the Windows Run registry key, ensuring it restarts every time the user logs in.

C2 Communication and Command Capabilities

Once installed, the payload connected to its command-and-control server at fruitbrat[.]com over port 443, using HTTPS to blend in with normal web traffic.

It crafted its requests to mimic Microsoft Edge browser activity, making detection at the network level even harder. It also stored a unique client ID in the registry to identify the infected machine to the remote server.

The command capabilities of this implant were extensive. It could download and execute files from the C2, launch processes and capture their output, upload and download file chunks by session, enumerate and delete files, and kill diagnostic tools like iediagcmd.exe to prevent an admin from spotting unusual activity.

Plugin loader stubs in the code also allowed the attackers to push additional capabilities to infected machines whenever needed.

Security analysts recommend watching for Avk.exe, Avk.dll, and AVKTray.dat appearing together in directories like %PUBLIC%GData or %LOCALAPPDATA%pZhozR, and for Run key entries pointing to Avk.exe with trailing numeric arguments.

BlueCyber stresses that tracking the full behavior chain, rather than relying only on individual IOC values, is the most reliable long-term defense against this and future PlugX variants.

Indicators of Compromise (IoCs):-

Type	Indicator	Description
SHA-256	79af67ed343bc45b6a19e4836ebb83f1130243ff98f48465f9a7a807ba4bfa91	iis.jpg (masqueraded MSI payload)
SHA-256	106f46375d8497d353c22c98f72ab15a9bb87beba4585d5a492fd11edc288b0b	Browser_Update.zip (initial dropper archive)
SHA-256	8421e7995778faf1f2a902fb2c51d85ae39481f443b7b3186068d5c33c472d99	Avk.exe (legitimate G DATA binary used for sideloading)
SHA-256	4cd81d26289c4d8383a0ffa34397f0b03941554eac04f1b420269b831acc	Avk.dll (malicious intermediate loader)
SHA-256	d4bc21e12360af2f2cb55872a90b62805150d498c452b2b1c6a05a806cbb	AVKTray.dat (encrypted payload container)
SHA-256	b52c484a3cc383dd3b4dc79c207946b603a810edf74bff76dca7ad29d4de	final_payload.bin (manually mapped PlugX implant)
IP Address	45[.]251[.]243[.]210	Payload delivery server (iis.jpg served over HTTP)
Domain	fruitbrat[.]com:443	Primary C2 server (WinHTTP HTTPS communication)
Domain	dalerocks[.]com:443	C2 for Vietnam-targeting variant (May 2026)
File Path	%LOCALAPPDATA%pZhozR	Initial staging directory for three-file set
File Path	%PUBLIC%GData	Persistent installation directory
Registry Key	HKCUSOFTWAREMicrosoftWindowsCurrentVersionRunG Data	Persistence Run key (value: Avk.exe with filler args)
Registry Key	HKCUSoftwareClassesms-puCLSID	Unique client/install ID storage
Mutex	aumhYjQIQ	Mutex created to prevent duplicate controller instances
File Name	Browser_Updater.exe	Initial dropper disguised as browser update
RC4 Key	VOphJo	Runtime config decryption key
File Marker	arp	Extension marker used by plugin loader stubs

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.