Mustang Panda Targets Windows Users with ToneShell Malware Disguised as Google Chrome

The China-aligned threat actor Mustang Panda, also known as Earth Preta, HIVE0154, RedDelta, and Bronze President, has been deploying the ToneShell backdoor against Windows users, primarily targeting government and military entities in the Asia-Pacific and Europe.

Active since at least 2012, the group leverages spear-phishing emails with military-themed lures to deliver malicious archives, such as mustang_panda.zip, containing a dropper executable (Dropper.exe) that masquerades as a corrupted PDF file.

Exploits DLL Sideloading

Upon execution, victims encounter a deceptive error message: “Error: File Corrupted—The PDF file is corrupted. Please restart your computer to try again,” designed to distract while the malware deploys legitimate Google Chrome components for DLL sideloading.

According to the report, this technique hijacks ChromePDF.exe, a legitimate Chrome binary placed in C:ProgramDataChromePDFBrowser, to load a malicious chrome_elf.dll from the subdirectory 101.0.4951.41, spoofing version details to evade detection.

The malware’s high confidence attribution stems from consistent TTPs, including infrastructure reuse and evasion tactics observed from March to July 2025.

Mustang Panda employs a redundant persistence strategy to maintain long-term access, combining registry run keys under HKCUSOFTWAREMicrosoftWindowsCurrentVersion Run with the key name ChromePDFBrowser, pointing to ChromePDF.exe, FreePDF, and a scheduled task named ChromeBrowser-chromiumim that executes every five minutes via schtasks commands.

This ensures automatic relaunch at logon and periodic execution, bolstering resilience against disruptions.

Enhance Operational Resilience

The ToneShell backdoor communicates over a custom encrypted TLS protocol to the C2 server at 218.255.96.245:443, an IP linked to HKBN Enterprise Solutions in Hong Kong, with traffic signatures including 17 03 03 bytes indicative of TLS Application Data.

Network forensics reveal bidirectional exchanges masquerading as legitimate HTTPS to bypass monitoring.

Analysis of the malicious DLL (SHA-256: 216188ee52b067f761bdf3c456634ca2e84d278c8ebf35cd4cb686d45f5aaf7b) shows it imports 118 Windows API functions for process manipulation (e.g., CreateProcessA/W, TerminateProcess), file operations (e.g., WriteFile, FindFirstFileEx), registry modifications (e.g., RegSetValueEx), and shell execution (e.g., ShellExecuteW), enabling comprehensive system control while mimicking legitimate Chrome metadata.

Link analysis uncovers operational continuity, with the C2 IP shared across DOPLUGS (2024, targeting Asia-Pacific), PUBLOAD (2024, focusing on Tibetan organizations), and the current ToneShell campaign, demonstrating Mustang Panda’s efficiency in infrastructure reuse.

Prefetch artifacts confirm the infection chain, from initial dropper execution (DROPPER.EXE-AF23BC17.pf) involving file deployments and task creation to persistent runs of ChromePDF.exe (CHROMEPDF.EXE-AD96CF35.pf) via DLL sideloading.

Detection opportunities include PowerShell queries for artifacts, Microsoft Defender rules for suspicious loads and tasks, and Sigma rules tagging behaviors like image loads from non-standard paths, process creations in ProgramData, conhost.exe abuse with headless parameters, scheduled task setups, and registry persistence.

Organizations should hunt for IOCs, block C2 traffic, audit registries, and implement email sandboxing, application whitelisting, and behavioral monitoring to counter these TTPs aligned with MITRE ATT&CK techniques such as T1574.001 (DLL Side-Loading), T1053.005 (Scheduled Task), and T1547.001 (Registry Run Keys).

This evolution highlights Mustang Panda’s maturity in evasion and persistence, urging proactive defenses beyond signatures.

Indicators of Compromise (IOCs)

The Ultimate SOC-as-a-Service Pricing Guide for 2025– Download for Free