Security researchers have observed a renewed Mustang Panda campaign that uses a fresh DLL side-loading method to deliver malicious payloads, targeting Tibetan advocacy groups with politically themed lures. The operation first appeared in June, 2025, and combines archive-based phishing, hidden library files, dynamic API resolution, and periodic task scheduling to maintain persistence and execute stolen code.
Attack overview
Victims receive a ZIP archive that contains a decoy executable, Voice for the Voiceless Photos.exe, and a concealed dynamic-link library, libjyy.dll. The DLL is given both the system and hidden attributes so Explorer conceals it from casual inspection. When the decoy runs, it calls LoadLibraryW to load the hidden library, which then activates the malicious routines while the executable appears legitimate.
The initial delivery begins with a phishing message carrying the ZIP container, once opened Explorer hides the malicious DLL due to its combined hidden and system flags. The decoy executable resolves and calls a ProcessMain entry point inside libjyy.dll, handing control to the loader.
Technical analysis, loader behaviour, and obfuscation
The loader, which researchers label ClaimLoader and which leverages DLL side-loading [T1574.006], minimizes static imports. Instead it dynamically decrypts API and string names at runtime. A simple XOR routine, using key 0x19, decodes encrypted strings before the loader invokes LoadLibraryW and GetProcAddress, hiding its true intentions from static analysis.
Example decryption flow, in assembly-like pseudocode, illustrates the approach,
mov edx, <encrypted_length>,
mov ecx, <encrypted_string_address>,
; XOR decryption loop,
decrypt_loop:,
mov al, [ecx],
xor al, 0x19,
mov [ecx], al,
inc ecx,
dec edx,
jnz decrypt_loop,
; After decryption, load API dynamically,
push <decrypted_string_address>,
call decryptstrloadapi,
call eax ; resolved API call
After the loader decrypts and loads the real payload library, that payload uses a secondary XOR routine, cycling through the four-byte key array [0x01, 0x02, 0x03, 0x04], to decrypt an in-memory Schtasks command. The decoded command creates a scheduled task that reruns the loader every two minutes, ensuring persistence, for example,
schtasks /Create /TN AdobeExperienceManager /SC MINUTE /MO 2 /TR "C:\Windows\Adobe\licensinghelper.exe Licensing" /FDuring initialization the malicious DLL renames the decoy and loader to %SystemRoot%\Adobe\licensinghelper.exe, registers a run key under HKCU\Software\Microsoft\Windows\CurrentVersion\Run named AdobeLicensingHelper, and creates the scheduled task. The loader allocates executable memory via VirtualAlloc, copies shellcode into it, and abuses the EnumFontsW callback mechanism to trigger shellcode execution. The shellcode performs API hashing to resolve network functions, then exfiltrates system data to a command-and-control server.
