Ptechhub
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
PtechHub
No Result
View All Result

Chinese Hackers Exploit MAVInject.exe to Evade Detection in Targeted Cyber Attacks

The Hacker News by The Hacker News
February 18, 2025
Home Cybersecurity
Share on FacebookShare on Twitter


Feb 18, 2025Ravie LakshmananCyber Espionage / Malware

The Chinese state-sponsored threat actor known as Mustang Panda has been observed employing a novel technique to evade detection and maintain control over infected systems.

This involves the use of a legitimate Microsoft Windows utility called Microsoft Application Virtualization Injector (MAVInject.exe) to inject the threat actor’s malicious payload into an external process, waitfor.exe, whenever ESET antivirus application is detected running, Trend Micro said in a new analysis.

“The attack involves dropping multiple files, including legitimate executables and malicious components, and deploying a decoy PDF to distract the victim,” security researchers Nathaniel Morales and Nick Dai noted.

Cybersecurity

“Additionally, Earth Preta utilizes Setup Factory, an installer builder for Windows software, to drop and execute the payload; this enables them to evade detection and maintain persistence in compromised systems.”

The starting point of the attack sequence is an executable (“IRSetup.exe”) that serves as a dropper for several files, including the lure document that’s designed to target Thailand-based users. This alludes to the possibility that the attacks may have involved the use of spear-phishing emails to single out victims.

Chinese Hackers

The binary then proceeds to execute a legitimate Electronic Arts (EA) application (“OriginLegacyCLI.exe”) to sideload a rogue DLL named “EACore.dll” that’s a modified version of the TONESHELL backdoor attributed to the hacking crew.

Core the malware’s function is a check to determine if two processes associated with ESET antivirus applications — “ekrn.exe” or “egui.exe” — are running on the compromised host, and if so, execute “waitfor.exe” and then use “MAVInject.exe” in order to run the malware without getting flagged by it.

Cybersecurity

“MAVInject.exe, which is capable of proxy execution of malicious code by injecting to a running process as a means of bypassing ESET detection, is then used to inject the malicious code into it,” the researchers explained. “It is possible that Earth Preta used MAVInject.exe after testing the execution of their attack on machines that used ESET software.”

The malware ultimately decrypts the embedded shellcode that allows it to establish connections with a remote server (“www.militarytc[.]com:443”) to receive commands for establishing a reverse shell, moving files, and deleting files.

“Earth Preta’s malware, a variant of the TONESHELL backdoor, is sideloaded with a legitimate Electronic Arts application and communicates with a command-and-control server for data exfiltration,” the researchers said.

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.





Source link

Tags: computer securitycyber attackscyber newscyber security newscyber security news todaycyber security updatescyber updatesdata breachhacker newshacking newshow to hackinformation securitynetwork securityransomware malwaresoftware vulnerabilitythe hacker news
The Hacker News

The Hacker News

Next Post
Digital Realty Predicts Accelerating Data Center Demand, Even Amid DeepSeek Disruption

Digital Realty Predicts Accelerating Data Center Demand, Even Amid DeepSeek Disruption

Recommended.

Cisco, Hitachi, Microsoft, and Progress Flaws Actively Exploited—CISA Sounds Alarm

Cisco, Hitachi, Microsoft, and Progress Flaws Actively Exploited—CISA Sounds Alarm

March 4, 2025
Palo Alto Networks y Deutsche Telekom aportan seguridad basada en IA

Palo Alto Networks y Deutsche Telekom aportan seguridad basada en IA

June 9, 2026

Trending.

Cloud Market Share Q1 2026: AWS, Microsoft, Google Battling In AI Era

Cloud Market Share Q1 2026: AWS, Microsoft, Google Battling In AI Era

May 4, 2026
Anaconda Extends AI-Native Application Development With Acquisition

Anaconda Extends AI-Native Application Development With Acquisition

May 1, 2026
This Scammer Used an AI-Generated MAGA Girl to Grift ‘Super Dumb’ Men

This Scammer Used an AI-Generated MAGA Girl to Grift ‘Super Dumb’ Men

April 21, 2026
AT&T Vs. Verizon: How The Country’s Biggest Carriers Fared In Q4 2025

AT&T Vs. Verizon: How The Country’s Biggest Carriers Fared In Q4 2025

January 30, 2026
AWS Vs. Google Cloud Vs. Microsoft Azure Q1 Earnings Face-Off

AWS Vs. Google Cloud Vs. Microsoft Azure Q1 Earnings Face-Off

May 1, 2026

PTechHub

A tech news platform delivering fresh perspectives, critical insights, and in-depth reporting — beyond the buzz. We cover innovation, policy, and digital culture with clarity, independence, and a sharp editorial edge.

Follow Us

Industries

  • AI & ML
  • Cybersecurity
  • Enterprise IT
  • Finance
  • Telco

Navigation

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Subscribe to Our Newsletter

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Copyright © 2025 | Powered By Porpholio

No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs

Copyright © 2025 | Powered By Porpholio