Mustang Panda Backdoor Exposed: New ToneShell Malware Masquerades as Chrome to Spy on Gov’t & Military
Ddos 
A new threat analysis by Kyaw Pyiyt Htet, a CREST-certified Threat Intelligence Analyst, has revealed the inner workings of a persistent cyber-espionage campaign by Mustang Panda — a notorious China-aligned APT group. The report provides a technical deep dive into the group’s latest offensive, which uses the ToneShell backdoor to target government and military entities across the Asia-Pacific and Europe.
Operating with high confidence from March to July 2025, Mustang Panda has shown a consistent targeting pattern and a refined attack chain. According to the report:
- Dual Persistence via Windows Registry and Task Scheduler
- DLL Sideloading using a fake Chrome component
- Masquerading as legitimate Chrome processes
- Command and Control (C2) activity over port 443 masked as HTTPS
“The malware masquerades as a legitimate Google Chrome component by spoofing the file description as ‘Google Chrome’ and matching the version number (101.0.4951.41) with the hijacked Chrome binary,” the researcher writes.
The campaign begins with spear-phishing emails containing malicious archives disguised as military documents. The ZIP archive mustang_panda[.]zip includes:
- Dropper.exe: a 2.2 MB fake PDF viewer
- A folder mimicking Chrome version 101.0.4951.41
- A trojanized chrome_elf.dll and manifest file
Once executed, users see a fake error:
“Error: File Corrupted – The PDF file is corrupted. Please restart your computer to try again.”
Meanwhile, the backdoor silently installs in the background.
Upon execution:
- Dropper.exe places the legitimate Chrome binary (ChromePDF.exe) in C:\ProgramData\ChromePDFBrowser\
- It then drops a malicious DLL, chrome_elf.dll, which is sideloaded to hijack the Chrome process
- Two persistence mechanisms are established:
- Registry Key: HKEY_CURRENT_USER\…\Run (ChromePDFBrowser)
- Scheduled Task: runs every 5 minutes with schtasks /Create /TN “ChromeBrowser-chromiumim”
“This dual approach ensures automatic execution at user logon and continuous execution every five minutes, providing highly reliable persistence,” Kyaw explains.
The malware communicates with its C2 server at:
- IP: 218.255.96.245
- Port: 443
- Protocol: Custom encrypted traffic over TLS
“The malware uses port 443 to masquerade as legitimate HTTPS traffic for operational security.”
The ToneShell backdoor embeds TLS Application Data signatures (17 03 03) to blend with normal HTTPS traffic.
This trojanized DLL:
- Is compiled with Microsoft Visual C++ 8.0 Debug
- Spoofs metadata: File version, product name, and description match Chrome’s
- Imports 118 Windows API functions, enabling:
- Process and file system control
- Registry edits
- Environment manipulation
- Shell command execution
The DLL also embeds full commands for persistence setup:
schtasks /F /Create /TN “ChromeBrowser-chromiumim” /SC minute /MO 5 /TR “C:\…\ChromePDF.exe FreePDF”
The C2 server (218.255.96.245) shows ties to previous campaigns:
- DOPLUGS (2024, Asia-Pacific targeting)
- PUBLOAD (2024, Tibetan community and military)
- Referenced in IBM X-Force and Trend Micro research
“The reuse of 218.255.96.245 across multiple campaigns demonstrates Mustang Panda’s operational efficiency and infrastructure investment strategy.”
Mustang Panda’s continued use of sideloading, infrastructure reuse, and polished social engineering shows a well-funded, persistent threat actor operating at scale.
Related Posts:
- China-Linked Mustang Panda Targets Vietnamese Entities in Cyber Espionage Campaign
- ToneShell Backdoor Targets IISS Defence Summit Attendees in Latest Espionage Campaign
- PANDA Banker Malware Attacks Bank Institutions, Cryptocurrency Trading Platforms, and Social Media
- Earth Preta APT Group Evades Detection with Legitimate and Malicious Components
- China-Aligned APTs Intensify Cyber Espionage on Taiwan’s Semiconductor Industry
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
