The sophisticated China-linked threat actor Mustang Panda has refined its cyber espionage arsenal with an advanced DLL side-loading technique specifically targeting the Tibetan community, according to recent analysis of a campaign first identified by IBM’s X-Force in June 2025.
This politically motivated operation demonstrates how threat actors continuously evolve their obfuscation methods to bypass security controls and maintain persistence on compromised systems.
The attack vector begins with a carefully crafted .ZIP file containing what appears to be an innocuous executable named ‘Voice for the Voiceless Photos.exe’ – a deliberate reference to the Dalai Lama’s book designed to appeal to the targeted demographic.
However, the archive conceals a more sinister payload: a hidden DLL file named libjyy.dll that remains invisible to users through standard file exploration methods.
The malicious DLL employs Windows file attributes to maintain stealth, specifically utilizing the –arhs– attribute combination:
- a (Archive): File marked for backup.
- r (Read-only): Prevents modification.
- h (Hidden): Conceals the file from Windows Explorer.
- s (System File): Further obscures the file even when “Show hidden files” is enabled.
This sophisticated concealment technique ensures the DLL remains undetected unless users specifically navigate to Folder Options and uncheck “Hide protected operating system files” – an action rarely performed by typical users.
China-Nexus Indicators
Technical analysis of the primary executable reveals telltale signatures commonly associated with China-nexus threat operations.
The binary contains fabricated company information including “Hefei Nora Network Technology Co., Ltd.” as the company name and copyright holder, along with the product name “FFWallpaper Widgets Jyy.”
When analyzing the String reference identified as unknown in the previous section, we can see that it is referenced in a function, which Kesakode also identified as unknown.
Research indicates no legitimate company exists under this name, though similar fabricated entities have appeared in previous China-linked campaigns.
The executable functions as a loader whose sole purpose involves dynamically loading the concealed DLL through the LoadLibraryW API, specifically calling the ProcessMain function.
This minimalist approach reduces the attack surface while ensuring the primary malicious functionality remains segregated within the hidden DLL component.
The hidden libjyy.dll contains significantly more sophisticated capabilities, masquerading as legitimate software from “Wargaming.net Game Center” to avoid suspicion.
Analysis reveals this component serves as the Claimloader – a multi-stage malware that implements several critical functions including string decryption, argument verification, persistence establishment, and payload deployment.
The malware employs a simple XOR encryption algorithm using the single-byte key 0x19 to obfuscate API calls and strings.
This technique allows dynamic loading of critical Windows APIs while evading static analysis detection. The Claimloader specifically checks for a “Licensing” argument during execution, following different code paths depending on whether this parameter is present.
When executed without the proper argument, the malware establishes dual persistence mechanisms on the infected system.
Malcat allows us to analyze the binary from several aspects, through Disassembly, Decompiler, Hexadecimal Editor, and also the way in which the data is structured.
First, it copies both the decoy executable and malicious DLL to a fabricated Adobe directory at **C:ProgramDataAdobeLicensingPlugin**, renaming them as WF_Adobe_licensing_helper.exe and NewUI.dll respectively.
The malware then creates registry persistence through the SoftwareMicrosoftWindowsCurrentVersionRun key, ensuring execution with the proper “Licensing” argument upon system restart.
Scheduled Task Persistence
Beyond registry-based persistence, the malware implements a secondary mechanism using Windows Task Scheduler.
The Claimloader decrypts and executes a command creating a scheduled task named “AdobeExperienceManager” that runs every two minutes:
textschtasks /F /Create /TN "AdobeExperienceManager" /SC minute /MO 2 /TR "C:ProgramDataAdobeLicensingPluginWF_Adobe_licensing_helper.exe Licensing"
This redundant persistence approach complicates incident response efforts and increases the likelihood of maintaining access even if one persistence mechanism is discovered and removed.
When executed with the correct argument, the Claimloader transitions to its primary payload deployment phase. The malware allocates executable memory using VirtualAlloc with PAGE_EXECUTE_READWRITE permissions, then copies decrypted shellcode to this buffer.
Rather than directly executing the shellcode, the malware abuses the EnumFontsW API callback mechanism by passing the shellcode address as the callback function pointer – a technique that evades many security monitoring solutions.
The deployed shellcode, identified as Publoader, implements API hashing using the ROR13 algorithm to dynamically resolve necessary Windows APIs.
This component performs Process Environment Block (PEB) walking to locate and load required modules, ultimately establishing communication with command-and-control infrastructure to exfiltrate system information.
The campaign demonstrates Mustang Panda’s continued evolution in targeting methodologies, combining social engineering elements specific to Tibetan interests with advanced technical obfuscation techniques.
Security teams should implement comprehensive monitoring for unusual DLL loading patterns, scheduled task creation, and suspicious registry modifications to detect similar campaigns effectively.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
