A new threat actor known as Mustang Panda has been using a novel technique to evade detection by ESET antivirus software. The attackers are injecting malicious payload into the “waitfor.exe” utility, which is used by ESET to synchronize processes between machines.
The attack begins with an executable file called “IRSetup.exe”, which drops several files, including a lure document and a modified version of the TONESHELL backdoor attributed to another hacking crew. The attackers then use this backdoor to establish connections with a remote server, receive commands for data exfiltration, and move files.
The malware uses a legitimate Microsoft utility called Microsoft Application Virtualization Injector (MAVInject.exe) to inject malicious code into an external process when ESET antivirus software is detected running. This technique allows the attackers to bypass detection and maintain persistence in compromised systems.
ESET has previously published details about this malware and technique, but has now clarified that it does not effectively bypass their antivirus software. The company attributes the threat to a different APT group, CeranaKeeper, and states that ESET users are protected against this malware and technique.
The attack sequence highlights the ongoing evolution of cyber threats and the need for effective security measures to stay ahead of emerging tactics.
Source: https://thehackernews.com/2025/02/chinese-hackers-exploit-mavinjectexe-to.html