Threat Research

Mustang Panda Employ PubLoader Through ClaimLoader Yes Another DLL Side-Loading Technique Delivery via Phishing

CTI
Mustang Panda Employ PubLoader Through ClaimLoader Yes Another DLL Side-Loading Technique Delivery via Phishing

Mustang Panda (China-Nexus) delivered a politically themed phishing payload in June 2025 that used DLL side-loading with a hidden libjyy.dll to load a Claimloader which decrypts strings, establishes persistence, and deploys a Publoader shellcode via API hashing and callback abuse. The campaign used file attribute obfuscation, multiple string decryption routines (single-byte XOR 0x19 and a 4-byte rotating XOR), scheduled task and Run-key persistence, and shellcode execution via EnumFontsW callback; #MustangPanda #libjyy.dll

Keypoints

  • Initial vector: a .ZIP with a decoy executable “Voice for the Voiceless Photos.exe” and a hidden DLL libjyy.dll using file attributes (-arhs-) to evade Explorer visibility.
  • Decoy’s sole purpose is dynamic loading of the hidden DLL via LoadLibraryW and calling ProcessMain to start the real payload.
  • Claimloader (libjyy.dll) decrypts strings (single-byte XOR key 0x19 and a rotating 4-byte XOR), dynamically resolves APIs by parsing ntdll and using LdrLoadDll/LdrGetProcedureAddress, and loads subsequent stages.
  • Persistence: implements T1547.001 by copying files to C:ProgramDataAdobeLicensingPlugin and adding a Run-key entry, plus scheduled task creation (T1053.005) via a decrypted schtasks command running every 2 minutes.
  • Argument gate: Claimloader checks for the “Licensing” argument to follow the payload execution path; without it, it performs persistence setup and exits to enable later execution with the argument.
  • Shellcode handling: Claimloader allocates executable memory (VirtualAlloc), copies decrypted shellcode, and triggers execution by passing shellcode pointer as callback to EnumFontsW (callback abuse).
  • Publoader shellcode uses PEB walking and ROR13 hashing to resolve DLLs/APIs and API hashing to dynamically load functions, then collects system data and communicates with C2.

MITRE Techniques

  • [T1547.001 ] Boot or Logon Autostart Execution: Modified SoftwareMicrosoftWindowsCurrentVersionRun to launch “C:ProgramDataAdobeLicensingPluginWF_Adobe_licensing_helper.exe Licensing” on reboot – “adding a program to the SoftwareMicrosoftWindowsCurrentVersionRun registry key”
  • [T1053.005 ] Scheduled Task/Job: Created a scheduled task “AdobeExperienceManager” that runs every 2 minutes to execute WF_Adobe_licensing_helper.exe with “Licensing” argument – “schtasks … /Create … /TN ‘AdobeExperienceManager’ /SC minute /MO 2 /TR ‘C:ProgramDataAdobeLicensingPluginWF_Adobe_licensing_helper.exe Licensing’ “
  • [T1574.001 ] DLL Side-Loading: Decoy loads a hidden DLL libjyy.dll dynamically via LoadLibraryW and calls exported functions (ProcessMain) to execute the real payload – “the decoy loads the hidden DLL dynamically, through LoadLibraryW, and specifically the ProcessMain function.”
  • [T1090 ] Proxy (callback abuse via legitimate API): Executes shellcode by passing its address as a callback to EnumFontsW so the API invokes the shellcode – “the offset of this buffer will be used as an argument for the EnumFontsW function call, which … will execute the shellcode by abusing the API’s Callback mechanism.”
  • [T1105 ] Ingress Tool Transfer (staged payloads): Uses decoy executable to deliver and dynamically load a hidden DLL which contains Claimloader that decrypts and stages Publoader shellcode – “this decoy … to load the real malicious payload which consists of the hidden DLL named libjyy.dll.”
  • [T1027.002 ] Obfuscated Files or Information: Hides libjyy.dll using file attributes (hidden + system) and uses XOR-based string encryption (single-byte 0x19 and 4-byte rotating XOR) to conceal API/DLL names and persistence commands – “… libjyy.dll, containing the -arhs- modes … Explorer doesn’t show libiyv.dll because it’s marked as both hidden and system” and “single-byte key 0x19” / “4-byte array 0x01,0x02,0x03,0x04”
  • [T1059.001 ] Command and Scripting Interpreter: Uses schtasks.exe to create and schedule a recurring task to execute the payload – “schtasks → Windows binary to create, delete or manage scheduled tasks … /TR ‘C:ProgramDataAdobeLicensingPluginWF_Adobe_licensing_helper.exe Licensing’ “
  • [T1218 ] Signed Binary Proxy Execution (SBA): Uses legitimate Windows binaries (schtasks.exe, EnumFontsW via GDI API, CreateProcessA) to perform malicious actions and execution – “schtasks …”, “CreateProcessA API … executing the command”, “EnumFontsW … will execute the shellcode”
  • [T1055 ] Process Injection: Allocates executable memory (VirtualAlloc), copies shellcode and transfers execution to it (via callback), enabling in-memory execution of a secondary stage (Publoader) – “VirtualAlloc … PAGE_EXECUTE_READWRITE … shellcode … copied … executed”

Indicators of Compromise

  • [File name ] Malicious payloads observed – Voice for the Voiceless Photos.exe (decoy), libjyy.dll (hidden payload)
  • [File path ] Persistence locations – C:ProgramDataAdobeLicensingPluginWF_Adobe_licensing_helper.exe, C:ProgramDataAdobeLicensingPluginNewUI.dll
  • [Registry ] Persistence key – SoftwareMicrosoftWindowsCurrentVersionRun -> entry launching WF_Adobe_licensing_helper.exe Licensing
  • [Scheduled Task ] Scheduled task details – Task name “AdobeExperienceManager” with schtasks parameters: /SC minute /MO 2 /TR “C:ProgramDataAdobeLicensingPluginWF_Adobe_licensing_helper.exe Licensing”
  • [String/Encryption ] Decryption artifacts – single-byte XOR key 0x19 used for API/DLL names, and 4-byte rotating XOR key sequence 0x01,0x02,0x03,0x04 for longer commands
  • [Shellcode hashes ] Publoader DLL/API hashes (examples) – DLL hashes 6E2BCA17, 8FECD63F used in ROR13 comparisons (representative API/DLL hash values)

Read more: https://0x0d4y.blog/mustang-panda-employ-publoader-through-claimloader-yes-another-dll-side-loading-technique-delivery-via-phishing/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint