DATA, DLLs, and PlugX: Deconstructing Mustang Panda’s Latest Move
Recent threat intelligence reveals a sophisticated campaign by Mustang Panda, a China-nexus APT group frequently linked to espionage against government and diplomatic entities.
In this latest iteration, the group utilizes a deceptive “Browser Updater” lure and a multi-stage LNK-to-PowerShell execution chain to deploy the modular PlugX Remote Access Trojan (RAT). By leveraging DLL sideloading against a legitimate G DATA antivirus binary, the attackers successfully mask their presence while establishing encrypted command-and-control (C2) communication.
PlugX remains a formidable tool for threat actors due to its highly adaptable, plugin-based architecture. It supports reflective loading and uses encrypted configuration blobs, allowing it to evolve rapidly across different operational environments.
The Initial Intrusion: LNK and Social Engineering
The attack vector begins with a weaponized Windows shortcut (LNK) file. When executed, the LNK launches a PowerShell process in a hidden window, staging various payloads into user-writable directories like %LOCALAPPDATA%. This initial stage typically involves unpacking a compressed archive—often masquerading as a benign document—which then drops a malicious executable named Browser_Updater.exe.
To maintain the illusion of legitimacy, the malware presents the victim with a spoofed user interface. This “browser update” theme is a signature tactic for Mustang Panda, often delivered via phishing emails containing meeting invitations or policy updates. Once the user clicks “Install,” Browser_Updater.exe initiates an HTTP GET request to a staging server. Interestingly, the payload is often served with a deceptive filename, such as iis.jpg, despite being a functional MSI installer.

According to a technical report by Blue Cyber, the group maintains high operational security by constantly rotating delivery mechanisms, ranging from LNK files and PowerShell scripts to advanced DLL sideloading techniques.
Execution via DLL Sideloading
Once the MSI installer runs, it populates the %LOCALAPPDATA% directory with a three-file triad: a legitimate signed executable, a malicious DLL, and an encrypted .dat payload. To evade EDR and antivirus scrutiny, the group employs DLL sideloading. They use a legitimate, digitally signed G DATA antivirus component, Avk.exe, as a host. Instead of performing its intended security functions, Avk.exe is co-opted to load a companion library, Avk.dll, from its local directory.
The malicious Avk.dll is lean, designed only to facilitate the next stage of infection. It utilizes DJB2-style hashing to resolve Windows APIs at runtime, avoiding a static Import Address Table (IAT) that would trigger alerts. It then locates an adjacent file, AVKTray.dat, and loads it into a memory buffer with Read-Write-Execute (RWX) permissions.

To further obscure the execution flow, the DLL does not call the buffer directly. Instead, it uses RtlRegisterWait to register the buffer as a thread-pool callback. By signaling an event, it forces ntdll‘s worker threads to jump into the attacker’s code, effectively masking the origin of the malicious execution.
Payload Decryption and Manual PE Mapping
The AVKTray.dat file serves as a shellcode container. The initial stub performs a single-byte XOR decryption before handing off execution to a routine protected by control-flow flattening. This makes static analysis and decompilation significantly more difficult for researchers. This routine employs complex transformations, such as rotate-left (ROL) operations, to resolve helper functions without exposing clear-text strings.
The malware’s configuration—including C2 domains and mutex names—is stored in an RC4-encrypted blob. Even after the initial RC4 decryption, the fields undergo an additional XOR pass, ensuring that simple memory scans won’t immediately reveal the command-and-control infrastructure.
The core PlugX loader acts as a manual PE mapper. Rather than relying on the Windows OS loader, it replicates the process in user-space:
- Scans memory for MZ/PE signatures.
- Allocates new memory regions.
- Resolves imports and applies relocations.
- Switches from DJB2 to a rotate-left-19-based hash to resolve
KERNEL32andNTDLLAPIs, breaking signature-based detection.


Persistence and Stealthy Communication
Once the PlugX payload is mapped and running, it establishes persistence by moving its files to a “stable” path: %PUBLIC%\GData. This is a “living-off-the-namespace” tactic; an admin seeing a “GData” folder is likely to assume it is legitimate antivirus software. The malware then creates a Windows Registry Run key under HKCU\Software\Microsoft\Windows\CurrentVersion\Run, using the G DATA brand name to blend in.
To maintain a low profile during network activity, the implant:
- Reads the user’s existing proxy settings from the registry to mirror legitimate traffic patterns.
- Uses modern User-Agent strings (mimicking Chrome or Edge).
- Communicates over HTTPS to a hard-coded C2 domain (notably
fruitbrat[.]comin recent samples). - Embeds a session identifier within a cookie parameter, derived from a unique client ID stored in the registry, preventing the raw ID from appearing in network captures.
The C2 server can then issue commands to perform file system operations, spawn processes, or download and execute modular plugins, granting the attackers full remote control over the compromised host.