A sophisticated cyber espionage campaign by the China-aligned threat group Mustang Panda has been actively targeting government and military organizations through a malicious backdoor that masquerades as Google Chrome.
Security researchers have identified the ToneShell backdoor deployment running from March to July 2025, utilizing advanced evasion techniques to maintain persistent access to compromised systems.
Advanced DLL Sideloading Attack Chain
The attack begins with spear-phishing emails containing military-themed archives that deploy a deceptive error message claiming “The PDF file is corrupted. Please restart your computer to try again.”
While victims focus on this decoy message, the malware executes a sophisticated DLL sideloading technique.
The malicious dropper deploys legitimate Chrome components to C:\ProgramData\ChromePDFBrowser\, including a hijacked Chrome binary renamed as ChromePDF.exe.
The attack succeeds by placing a malicious chrome_elf.dll file that the legitimate Chrome binary automatically loads, effectively weaponizing the trusted application.
“The malware masquerades as a legitimate Google Chrome component by spoofing the file description and matching the version number with the hijacked Chrome binary,” according to the analysis.
The malicious DLL imports 118 Windows API functions, enabling comprehensive system manipulation, including process control, file operations, and registry modifications.
Dual Persistence and C2 Infrastructure
Mustang Panda implements redundant persistence mechanisms to ensure continued access. The malware establishes both registry run keys under HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and creates a scheduled task named “ChromeBrowser-chromiumim” that executes every five minutes.
The backdoor communicates with the command and control server 218.255.96.245:443, using a custom encrypted protocol over TLS.
Intelligence analysis reveals this infrastructure has been reused across multiple Mustang Panda campaigns, including previous DOPLUGS and PUBLOAD operations targeting Asia-Pacific regions and Tibetan community organizations.
Detection and Response Recommendations
Security teams can identify this threat by monitoring for suspicious Chrome-related processes executing from C:\ProgramData\ChromePDFBrowser\ directories and checking for unauthorized registry entries.
Network defenders should block traffic to the identified C2 server and implement behavioral detection rules focusing on DLL sideloading anomalies rather than signature-based approaches.
The campaign demonstrates Mustang Panda’s continued operational sophistication and infrastructure investment strategy.
Organizations should prioritize advanced email filtering, application whitelisting, and automated hunting capabilities to defend against this evolving threat.
The group’s consistent targeting of government and military entities across multiple campaigns indicates sustained strategic intelligence collection objectives.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
