Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Alerts

ToneShell Used in Mustang Panda Attacks

April 17, 2025
Reading Time: 2 mins read
in Alerts
CISA Warns of Oracle Cloud Access Risks

Security researchers have uncovered new activities attributed to Mustang Panda, a China-sponsored espionage group. Known for targeting government entities and military organizations across East Asia and Europe, the group has been using weaponized RAR archives. These archives contain malicious DLLs, which are deployed through DLL sideloading alongside legitimate signed executables. This technique allows Mustang Panda to bypass security controls by leveraging the trust of digitally signed binaries.

The attack begins when victims extract and execute software from RAR archives. The archives typically contain a legitimate executable file and a malicious DLL. The DLL sideloading method makes it difficult to detect since it relies on the system’s default behavior of loading DLLs. As the legitimate software runs, the malicious DLL is executed without triggering suspicion, enabling the attacker to compromise the system.

Mustang Panda’s recent campaigns have focused on government-related entities, particularly in Myanmar.

Researchers have found multiple variants of ToneShell malware in these attacks, each with subtle modifications to evade detection. Zscaler ThreatLabz identified three distinct variants, each using a different legitimate executable for DLL sideloading. These variants were found in various archives, such as “cf.rar,” “ru.zip,” and “zz.rar,” each containing different executables and malicious DLLs.

The DLL sideloading technique relies on exploiting Windows’ DLL search order, loading a malicious DLL in place of a legitimate one.

This method appears to run legitimate software while executing malicious code in the background. The malicious DLLs also utilize custom network protocols with FakeTLS headers to conceal malicious traffic. The latest variants use TLSv1.3 to further evade detection, and encrypted communication with command and control servers uses rolling XOR keys generated with custom methods.

Reference:
  • Mustang Panda Targets Government Entities with Evolving ToneShell Malware Variants
Tags: April 2025Cyber AlertsCyber Alerts 2025CyberattackCybersecurity
ADVERTISEMENT

Related Posts

Fake DocuSign Alerts Target Corporate Logins

Fake DocuSign Alerts Target Corporate Logins

May 28, 2025
Fake DocuSign Alerts Target Corporate Logins

Fake Bitdefender Site Spreads Venom Malware

May 28, 2025
Fake DocuSign Alerts Target Corporate Logins

Microsoft Void Blizzard Cyber Threat Alert

May 28, 2025
GhostSpy Android Malware Full Device Control

FBI Warns Luna Moth Targets US Law Firms

May 27, 2025
GhostSpy Android Malware Full Device Control

Winos 4.0 Malware Spread Via Fake Installers

May 27, 2025
GhostSpy Android Malware Full Device Control

GhostSpy Android Malware Full Device Control

May 27, 2025

Latest Alerts

Microsoft Void Blizzard Cyber Threat Alert

Fake DocuSign Alerts Target Corporate Logins

Fake Bitdefender Site Spreads Venom Malware

FBI Warns Luna Moth Targets US Law Firms

Winos 4.0 Malware Spread Via Fake Installers

GhostSpy Android Malware Full Device Control

Subscribe to our newsletter

    Latest Incidents

    Migos IG Hack Blackmails Solana Cofounder

    Tiffany & Co. Faces Data Breach Incident

    MathWorks Crippled by Ransomware Attack

    Everest Ransomware Leaks Coke Staff Data

    Adidas Data Breach Exposes Customer Contacts

    Semiconductor Firm AXT Hit by Data Breach

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial