Chinese Hackers Caught Using Secret Windows Tool to Sneak Past Antivirus in High-Stakes Cyber Attack

Chinese Hackers Caught Using Secret Windows Tool to Sneak Past Antivirus in High-Stakes Cyber Attack
By: Search More Team
Posted On: 20 February

In a new wave of sophisticated cyber espionage, the Chinese state-sponsored hacking group known as Mustang Panda has been observed using a legitimate Windows utility, MAVInject.exe, to evade detection while infiltrating targeted systems. According to security researchers at Trend Micro, the attackers are leveraging Microsoft Application Virtualization Injector (MAVInject.exe) to inject malicious code into a process, effectively bypassing security measures.

How the Attack Works

The campaign, attributed to Earth Preta, a subgroup of Mustang Panda, employs a series of techniques designed to maintain persistence and avoid detection by security software, specifically targeting ESET antivirus users.

Security researchers Nathaniel Morales and Nick Dai from Trend Micro explained,

"The attack involves dropping multiple files, including legitimate executables and malicious components, and deploying a decoy PDF to distract the victim."

The attack initiates with the IRSetup.exe dropper, which installs several files, including a lure document aimed at users in Thailand. This suggests the attackers may have used spear-phishing emails to target specific individuals or organizations.

Leveraging Legitimate Applications for Malware Execution

One of the most notable aspects of this attack is the hackers' ability to abuse legitimate applications to deploy malware. After execution, the malware proceeds to run a genuine Electronic Arts (EA) application (OriginLegacyCLI.exe), which then sideloads a rogue DLL file named "EACore.dll".

The researchers noted:

"Earth Preta utilizes Setup Factory, an installer builder for Windows software, to drop and execute the payload; this enables them to evade detection and maintain persistence in compromised systems."

A key function of the malware is to check whether ESET antivirus processes ("ekrn.exe" or "egui.exe") are running on the infected machine. If detected, the malware executes "waitfor.exe", a legitimate Windows synchronization tool, followed by MAVInject.exe, which facilitates the stealthy execution of malicious code.

By injecting malicious payloads into waitfor.exe, the attackers effectively conceal their activity from traditional antivirus detection mechanisms.

Establishing a Command-and-Control Connection

Once the malware is fully deployed, it decrypts an embedded shellcode, allowing it to establish communication with a remote command-and-control (C2) server. The compromised system connects to www.militarytc[.]com:443, where it can receive commands to create a reverse shell, move files, and delete evidence.

Trend Micro emphasized that,

"Earth Preta's malware, a variant of the TONESHELL backdoor, is sideloaded with a legitimate Electronic Arts application and communicates with a command-and-control server for data exfiltration."

ESET Responds to Trend Micro’s Findings

Following the publication of Trend Micro’s report, cybersecurity firm ESET responded with an official statement, disputing the claim that their software had been effectively bypassed by this attack.

According to ESET,

"We disagree with the published findings that this attack ‘effectively bypasses ESET antivirus.’ This is not a bypass and we are bemused that Trend Micro did not alert ESET to discuss their findings."

ESET clarified that the technique used by Earth Preta is not novel, and that their security systems had already been detecting and protecting against this method for years. The company further revealed that it had identified the attack as being linked to the China-aligned CeranaKeeper APT group, and had implemented specific malware detection rules since January 2025.

"ESET users are protected against this malware and technique," the company added.

A Growing Threat in Cybersecurity

The Mustang Panda APT group has been associated with numerous cyber espionage campaigns, often targeting government entities, think tanks, and other high-profile organizations. Their ability to adapt and exploit legitimate applications to facilitate malware execution highlights the growing sophistication of state-sponsored cyber threats.

With MAVInject.exe abuse being just the latest technique in their arsenal, cybersecurity professionals must remain vigilant in deploying advanced threat detection mechanisms and zero-trust security frameworks to mitigate these evolving threats.

Key Takeaways:

Chinese Mustang Panda hackers are exploiting MAVInject.exe to evade detection.The attack sequence begins with a dropper file (IRSetup.exe), using a legitimate EA application to sideload malware.The malware checks for ESET antivirus processes and bypasses detection using waitfor.exe.A command-and-control connection is established to execute further malicious activities.ESET disputes Trend Micro’s findings, asserting that its software had already been detecting and blocking the attack.

As cyber warfare intensifies, organizations must constantly update their cybersecurity defenses, keeping pace with advanced persistence threats (APTs) like Mustang Panda.