Mustang Panda APT Uses Hidden DLL and EnumFontsW to Launch Stealthy Tibet-Themed Campaign
Ddos 
A new phishing campaign analyzed by malware researcher 0x0d4y has uncovered fresh insights into Mustang Panda’s evolving tactics, as the China-nexus threat actor deploys a stealthy DLL side-loading chain disguised under a humanitarian guise — a decoy titled “Voice for the Voiceless Photos.exe”, referencing the Dalai Lama’s book.
According to the researcher, “an execution chain of payloads delivered via Phishing from another Threat Actor China-Nexus, however, implementing the same TTP, yes, DLL Side-Loading!”
The campaign, first identified in June 2025 by IBM X-Force, specifically targets the Tibetan community for political purposes, leveraging hidden DLL payloads, multi-stage loaders, and persistence through registry and scheduled tasks — all classic hallmarks of Mustang Panda’s tradecraft.
The initial infection vector comes via a malicious ZIP archive containing two files — the decoy executable Voice for the Voiceless Photos.exe and a hidden DLL named libjyy.dll. What makes this technique insidious is how the DLL is deliberately marked to stay invisible in Windows Explorer.
As 0x0d4y explains, “When we use the ls -force command, we are able to observe the DLL libjyy.dll, containing the -arhs- modes that allow it to be hidden.” These file attributes (a, r, h, s) mark the DLL as both a hidden and system file, preventing it from being displayed even when “Show hidden files” is enabled in Explorer.
This manipulation effectively ensures that the victim doesn’t suspect the presence of an unexpected file when opening the directory and clicking on the initial payload.
Once the victim runs the decoy executable, its only purpose is to dynamically load the concealed DLL using the Windows API LoadLibraryW.
“This is the only function of this decoy, to load the real malicious payload which consists of the hidden DLL named libjyy.dll.”
The DLL — masquerading as a legitimate file from “Wargaming.net” — acts as Claimloader, Mustang Panda’s proprietary loader, previously mentioned by IBM’s X-Force. Claimloader is responsible for decrypting strings, creating persistence, and deploying the final stage, Publoader.
Claimloader uses custom XOR-based string encryption to obfuscate its API calls and DLL names, ensuring that static analysis tools cannot easily recognize its behavior.
“The string decryption routine is quite simple, essentially an XOR operation on a single-byte key… all strings encrypted by this algorithm refer to APIs that will be dynamically loaded to implement specific capabilities, primarily allocation, injection, and execution of the next stage (Publoader).”
These dynamically decrypted APIs include VirtualAlloc, GetProcAddress, and LdrLoadDll, enabling Claimloader to allocate memory, decrypt shellcode, and execute the next payload — all while remaining fileless at runtime.
If the decoy runs without the expected argument “Licensing”, Claimloader creates multiple persistence mechanisms designed to ensure re-execution on reboot.
The malware copies its components into a fake directory:
renaming the files to WF_Adobe_licensing_helper.exe and NewUI.dll to blend in with legitimate Adobe software.
0x0d4y notes, “Claimloader will copy the decoy and Claimloader to a fake Adobe directory, followed by implementing the T1547.001 persistence technique.”
This involves creating registry keys in
to ensure the malware automatically runs at every startup.
A secondary persistence mechanism leverages MITRE ATT&CK T1053.005, using Windows’ schtasks.exe binary to create a scheduled task named “AdobeExperienceManager” that executes the same payload every two minutes:
“The command is passed as an argument to the CreateProcessA API, which will be responsible for finally executing the command.”
When executed with the proper argument, Claimloader decrypts and injects shellcode into memory and uses an unusual API call — EnumFontsW — to trigger execution through a callback function abuse.
“EnumFontsW will execute the shellcode by abusing the API’s Callback mechanism. The lpProc argument of EnumFontsW expects to receive a pointer to the application-defined callback function. Therefore, by passing the offset of a shellcode to this argument, EnumFontsW will execute the shellcode.”
This creative exploitation of legitimate Windows functionality provides stealthy code execution, bypassing typical detection methods.
The final payload, known as Publoader, performs API hashing to resolve system libraries like kernel32.dll using ROR13-based hashing.
0x0d4y observed that “Publoader uses the PEB Walking technique, where the PEB structure is accessed in a loop to collect the name of each module, where each name will be submitted to the ROR13 hash algorithm.”
This technique enables the malware to dynamically load essential APIs such as LoadLibraryA and GetProcAddress without leaving readable traces in memory — a hallmark of Mustang Panda’s anti-analysis and evasion sophistication.
The campaign’s Tibetan targeting mirrors Mustang Panda’s established espionage objectives. As 0x0d4y highlights, it was “identified in June 2025 by IBM’s X-Force, which targets the Tibetan community for obviously political reasons.”
This aligns with previous activity involving the Publoader and TONEINS malware families, often used for geopolitical intelligence gathering across Asia and Europe.
Related Posts:
- China-Linked Mustang Panda Targets Vietnamese Entities in Cyber Espionage Campaign
- Mustang Panda Backdoor Exposed: New ToneShell Malware Masquerades as Chrome to Spy on Gov’t & Military
- ToneShell Backdoor Evolves With Anti-Analysis Tricks, Continues Targeting Myanmar
- PANDA Banker Malware Attacks Bank Institutions, Cryptocurrency Trading Platforms, and Social Media
- ToneShell Backdoor Targets IISS Defence Summit Attendees in Latest Espionage Campaign
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
