An ISO image discovered in May 2025 contained an MST transform-based malware that abuses Windows MSI installers to deploy a multi-stage payload including DLL side-loading and shellcode execution. The campaign is linked to the threat actor Ocean Lotus (APT32) and features advanced persistence and encryption techniques. #OceanLotus #APT32 #MSTTransform #DLLSideLoading
Keypoints
- An ISO image containing a shortcut file (.lnk) and hidden MSI and MST files was uploaded to VirusTotal from Taiwan in May 2025.
- The attack uses an unsecured MST transform applied to a legitimate MSI installer to inject malicious actions, including dropping DLLs and opening a decoy PDF.
- The MST deploys a DLL (tbs.dll) that is side-loaded by the legitimate PcHealthCheck.exe to execute malicious code.
- The malware implements a function hook in RtlUserThreadStart to redirect execution flow to a custom loader that decrypts and decompresses embedded shellcode.
- The final payload is a Rust-based implant with a statically linked libcurl library, connecting to a hardcoded C2 server while mimicking a Huawei Android user agent.
- This malicious activity is attributed to Ocean Lotus (APT32) based on prior QiAnXin intelligence reports from November 2024.
- Use of MST transforms in this manner is rare, representing an evolution in targeted attack techniques involving MSI package manipulation and multi-stage payload execution.
MITRE Techniques
- [T1137] Office Application Startup – Executed hidden MSI installer and MST transform via a malicious .lnk file disguised as a PDF (“脱密 中央国安办.pdf.lnk”).
- [T1218] Signed Binary Proxy Execution – Abuse of WindowsPCHealthCheckSetup.msi and side-loading of malicious tbs.dll by PcHealthCheck.exe.
- [T1055] Process Injection – Injection of shellcode into legitimate DLL (xpsservices.dll) by memory patching and execution in memory.
- [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – Persistence established via a registry run key for %LocalAppData%PCHealthCheckPCHealthCheck.exe.
- [T1140] Deobfuscate/Decode Files or Information – Custom AES-256 ECB decryption combined with XOR applied to encrypted shellcode blob before decompression with LZMA.
- [T1106] Native API – Use of ZwProtectVirtualMemory and LoadLibraryExA APIs to manipulate memory protections and load DLLs.
- [T1071.001] Application Layer Protocol: Web Protocols – The final implant communicates with a C2 server over HTTP using a forged User-Agent string.
Indicators of Compromise
- [File Hash] Malicious ISO and components – ced7fe9c5ec508216e6dd9a59d2d5193a58bdbac5f41a38ea97dd5c7fceef7a5 (ISO); c430f5388a36be5a3b18a382c4a5e1f25f28a2db1ebd22009885ec1ec92bd061 (.lnk); f87bf57756049015686b7769b5a8db32026d310bf853e7d132424f7513fe316c5 (MSI); 2f32ca6358a57531c04c640625f2b30a3c1bdbcbfd896107597fcdcbab3153e0 (MST); 20c8b797b614f574070d591248edcaa764ecfb95eba3f58a98bf2e40b4d91ffe (Transforms.dll and tbs.dll).
- [Domain/IP] C2 server – http://194.87.108[.]94:80/users/b97fc88c-cff5-4433-a784-df2a5e094452/profile/information used by the Rust-based final implant.
Read more: https://dmpdump.github.io/posts/Possible-Ocean-LotusInstaller-Abusing-MST-Transforms/