Chinese Hackers Group Mustang Panda Deploys New Tools to Bypass EDR Systems

Researchers from Zscaler ThreatLabz have identified fresh activity linked to the China-backed cyber-espionage group, Mustang Panda.

These developments involve new variants of the well-known ToneShell backdoor and the introduction of a previously undocumented lateral movement utility, dubbed “StarProxy.”

The new toolset underscores a marked escalation in Mustang Panda’s sophistication, particularly with respect to bypassing endpoint detection and response (EDR) mechanisms.

ToneShell, a staple in Mustang Panda’s arsenal, has undergone multiple technical enhancements.

The latest variants, discovered in attacks against organizations in Myanmar, incorporate advanced evasion tactics.

The malware persists in utilizing DLL sideloading, where malicious payloads are bundled inside RAR archives alongside legitimate signed binaries to evade security controls.

Notably, ToneShell now exhibits updated FakeTLS command-and-control (C2) protocols, shifting from TLSv1.2 to TLSv1.3 header impersonation to further obfuscate network activity.

Each ToneShell variant employs custom random number generation strategies to create GUIDs uniquely identifying infected hosts.

According to the Report, these values are written to disk in subtlety-altered file structures, adding complexity for defenders relying on behavioral signatures.

The rolling XOR key mechanism, central to encrypting C2 traffic, has also been diversified key lengths and initialization techniques differ among variants, reflecting Mustang Panda’s intent to routinely frustrate static network signature detection.

From a command execution standpoint, the refined backdoors support a minimal set of remote shell, file management, and payload execution instructions.

One new variant adds advanced DLL injection and process token impersonation, facilitating further lateral movement and stealth.

Introduction of StarProxy: Advanced Lateral Movement and Evasion

The newly discovered StarProxy tool exemplifies Mustang Panda’s capability evolution.

Mustang Panda
High-level diagram of StarProxy activity.

Deployed through DLL sideloading, StarProxy is designed to proxy attacker traffic across compromised environments using FakeTLS-based TCP communication.

The tool leverages hardcoded and dynamically generated XOR keys for packet encryption, transmitting beacons and command responses using custom protocol headers that closely mimic legitimate TLS traffic.

StarProxy supports multiple commands, such as establishing relay sockets to external or internal hosts, forwarding data, and managing proxy connections enabling attackers to pivot within restricted environments and maintain persistent access.

Its modular architecture and focus on stealth suggest active development, with intentional overlap and redundancy observed in command handling.

The rapid iteration of Mustang Panda’s TTPs ranging from DLL sideloading and protocol impersonation to advanced lateral movement tools highlights a sustained focus on evading modern EDR and network-based defenses.

The detailed IoCs provided by security researchers serve as a critical resource for organizations to detect and mitigate these evolving threats.

As Mustang Panda’s toolkit matures, continuous monitoring and adaptive defense strategies will be essential to counter this ongoing risk.

Indicators of Compromise (IoC)

File Indicators

MD5SHA1SHA256FilenameDescription
233214d22659aa85f32bb705812a0b22fcc7095f6ddbffb7c2ca29188c45bbdf4c922c66ede116e8f652728773363f6808fa8bbd5af873398e4bb5393c210677fa96a654cf.rarRAR archive hosted on attacker’s server
b695a31ea90e61cc08da1837d836655a03272f764bc0f6d80a830c164a5357cd9179030ea0f42337601429ffda00aa64b8e6102e2470b2388c132f96002f37d40f40d587libcef.dllToneShell DLL
4fefc66a0f7e1b2ed8affc9c3ba66ec70d186cd1ecc525716ac08cbd5f59c58e44d082028fe76b434c9d57d5b82a786bcfac5aa3a75be88b19df5cd76e111af58c3c98c5mrender.exeLegitimate signed binary
4572914d6fd4b50604b30c761736ef7d1afde3bfe7ff7a9a164c9e6a0de12f5f1ce50b9a91d8b31259d8602539fb6eaa0588d6521bf01299ccd8ed830abfe2ace7aea54dclient.rarRAR archive hosted on the server
db26dbad33580489204320c9c5ea400b81dce30dfb85d8a110f384ab72f23081f20f500dc1d24a5cb1d57a91cf4a717425bd0d46b4436d14d7f4744fa8dfbb22609f57a8IsoBurner.exeLegitimate and signed binary
784bcd1f62b97589f479525d27f883cb70b286728cf006ae6da37d918d372b7cedd4085563aa30c452e4dc0aa2324ce891da1acfa90ce85476d2dd7ab85ff448f913af5eStarBurn.dllMalicious DLL – StarProxy
3ed1b60aada8ec3fc0965976c542dda5da01214c5df3ee4a5a6b99414e4bb1fd88f6eb3e649b32f2db7d71cd083e9af4fae2fb3c086f5ed73eac622f427f7fa5d513c605zz.rarRAR archive
5788433d90e3297b32dfa009790490aa428c4da69023ec6ca7d253e5c643fd1c2689c55c69555f4d956fce11eac8fb6d7286c087d6acacf7971821ede1335e96a3c72736gpgconf.exeLegitimate and signed binary
1b388ef6594415421ef1b3cd9502fc7a092cd5ad641ce749c100c2ad045e4aabb9bb7e90cf1f057bc8cb25b2d6d0704cef0655ea4d41ea247c51984b25635bd23c8ae109libgcrypt-20.dllToneShell DLL
9afdcf5369eca11d412870f7cb805da920b4624781bdc1f670942dc07bf673abd1c5e70f21e271bde14b62a1c982ea3aefc1c42a7f5b412126e920e7dd4200cbf14fe475libgpg-error-0.dllN/A
7c65d1e28fadf9b6d704b5c47016c05d67d777f491b89d052c709cec7762b91ab514d3e6a901fd9ef4044a872866ad9506cf3e17cbf58b93278ac3ca7e48820b3a228458Bandizip.exeLegitimate and signed binary
2012bf5de269d9acd0bfd7250ab46c68337850d965dd9860162c2084d83d4113bac9559388e1b73318ba2107c2e70a59064d51e4fecd37ab6175735e43abfa8657d2cd91ark.x64.dllToneShell DLL
5936b135905bee8f038b9266362f22c7f435900ebbc8a46c3b0b273d48b2ac149a35b194a9b1289383ffe3ee2bd0df96ad6918b9a7e27819e4bc10c3922d8bbd61cbd959ru.zipZip archive
d7ae078b2641b94c8042424a1387851b296c37ab1985c08bd3b194b129392c8d4d164399005754ced6f73a197a4a21c58da39d5e3ee84e484640765dbda2475f4ba2d3bdFastVD.exeLegitimate and signed binary
6164f397ff13c56310e94af235a9aa02b2544370e041c2b3d38e5b1c0a22b4eab2d7058857e22a93fc31bd299871840864e82fa553e99501af7645102d07dceed2a8ef1aLogMeIn.dllToneShell DLL

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates

Mandvi
Mandvi
Mandvi is a Security Reporter covering data breaches, malware, cyberattacks, data leaks, and more at Cyber Press.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here