Chinese Hackers Group Mustang Panda Deploys New Tools to Bypass EDR Systems

Researchers from Zscaler ThreatLabz have identified fresh activity linked to the China-backed cyber-espionage group, Mustang Panda.

These developments involve new variants of the well-known ToneShell backdoor and the introduction of a previously undocumented lateral movement utility, dubbed “StarProxy.”

The new toolset underscores a marked escalation in Mustang Panda’s sophistication, particularly with respect to bypassing endpoint detection and response (EDR) mechanisms.

ToneShell, a staple in Mustang Panda’s arsenal, has undergone multiple technical enhancements.

The latest variants, discovered in attacks against organizations in Myanmar, incorporate advanced evasion tactics.

The malware persists in utilizing DLL sideloading, where malicious payloads are bundled inside RAR archives alongside legitimate signed binaries to evade security controls.

Notably, ToneShell now exhibits updated FakeTLS command-and-control (C2) protocols, shifting from TLSv1.2 to TLSv1.3 header impersonation to further obfuscate network activity.

Each ToneShell variant employs custom random number generation strategies to create GUIDs uniquely identifying infected hosts.

According to the Report, these values are written to disk in subtlety-altered file structures, adding complexity for defenders relying on behavioral signatures.

The rolling XOR key mechanism, central to encrypting C2 traffic, has also been diversified key lengths and initialization techniques differ among variants, reflecting Mustang Panda’s intent to routinely frustrate static network signature detection.

From a command execution standpoint, the refined backdoors support a minimal set of remote shell, file management, and payload execution instructions.

One new variant adds advanced DLL injection and process token impersonation, facilitating further lateral movement and stealth.

Introduction of StarProxy: Advanced Lateral Movement and Evasion

The newly discovered StarProxy tool exemplifies Mustang Panda’s capability evolution.

Deployed through DLL sideloading, StarProxy is designed to proxy attacker traffic across compromised environments using FakeTLS-based TCP communication.

The tool leverages hardcoded and dynamically generated XOR keys for packet encryption, transmitting beacons and command responses using custom protocol headers that closely mimic legitimate TLS traffic.

StarProxy supports multiple commands, such as establishing relay sockets to external or internal hosts, forwarding data, and managing proxy connections enabling attackers to pivot within restricted environments and maintain persistent access.

Its modular architecture and focus on stealth suggest active development, with intentional overlap and redundancy observed in command handling.

The rapid iteration of Mustang Panda’s TTPs ranging from DLL sideloading and protocol impersonation to advanced lateral movement tools highlights a sustained focus on evading modern EDR and network-based defenses.

The detailed IoCs provided by security researchers serve as a critical resource for organizations to detect and mitigate these evolving threats.

As Mustang Panda’s toolkit matures, continuous monitoring and adaptive defense strategies will be essential to counter this ongoing risk.