Earth Preta APT Exploit Microsoft Utility Tool & Bypass AV Detection to Control Windows

Abhimanyu Singh
Abhimanyu Singh

Engineering Manager

 
February 18, 2025 3 min read

Researchers from Trend Micro’s Threat Hunting team have uncovered a sophisticated cyberattack campaign by the advanced persistent threat (APT) group Earth Preta, also known as Mustang Panda. This group has been leveraging new techniques to infiltrate systems and evade detection, primarily targeting government entities in the Asia-Pacific region, including Taiwan, Vietnam, Malaysia, and Thailand. Earth Preta employs a combination of spear-phishing emails and advanced malware to compromise Windows systems.

Attack Vector and Techniques

The group uses the Microsoft Application Virtualization Injector (MAVInject.exe) to inject malicious payloads into legitimate Windows processes, such as waitfor.exe, particularly when ESET antivirus software is detected. This approach allows them to bypass security measures and maintain persistence on infected systems. The attack chain begins with the execution of a malicious file (IRSetup.exe), which drops multiple files—both legitimate executables and malicious components—into the system. To distract victims, the attackers deploy a decoy PDF that appears to be an official document, such as one requesting cooperation on an anti-crime platform allegedly supported by government agencies. Earth Preta Kill Chain

Malware Analysis

The core of Earth Preta’s operation involves a modified variant of the TONESHELL backdoor malware, sideloaded using OriginLegacyCLI.exe, a legitimate Electronic Arts (EA) application, along with a malicious DLL (EACore.dll). The malware communicates with a command-and-control (C&C) server at www[.]militarytc[.]com:443 for data exfiltration and remote operations. Key capabilities of the malware include:

  • Reverse shell access
  • File deletion and movement
  • Persistent storage of victim identifiers for future exploitation

The malware adapts its behavior based on the presence of ESET antivirus software. When detected, it uses MAVInject.exe to inject code into running processes; otherwise, it employs alternative techniques like WriteProcessMemory and CreateRemoteThreadEx APIs for code injection. The group has been active since at least 2022 and has reportedly compromised over 200 victims during this period. Their operations are characterized by their focus on government entities and their reliance on phishing as an initial attack vector. Decoy PDF

Evasion Techniques and Persistence

Earth Preta has upgraded its attacks, employing new tools and malware variants. The malware incorporates a variant of the worm HIUPAN to propagate PUBLOAD into their targets' networks. The group also uses additional tools such as FDMTP and PTSOCKET for control and data exfiltration. Their recent campaigns include spear-phishing emails with multi-stage downloaders like DOWNBAIT and PULLBAIT, leading to further malware deployments. Earth Preta's attacks are highly targeted and time-sensitive, often involving rapid deployment and data exfiltration, with a focus on specific countries and sectors within the APAC region.

Initial Access and Propagation

Earth Preta employs PUBLOAD as one of the first-stage control tools. While spear-phishing emails were previously used to deliver PUBLOAD, a version of PUBLOAD is now delivered via a variant of HIUPAN propagating through removable drives. This variant has been observed to have an easier configuration, utilizing an external config file for its propagation and watchdog function. HIUPAN will install its copy and create an autorun registry for its installed copy to ensure persistence. The watcher function periodically checks for removable drives and propagates itself by copying its components to them, creating a misleading single visible file to bait users into clicking it.

Data Collection and Exfiltration

Data collection is performed regularly, targeting specific file types modified within certain dates. The exfiltration process is executed using different methods, primarily via cURL to upload archived files to an attacker-owned FTP site. Earth Preta has shown advanced capabilities in adapting its tools for stealth and efficiency during operations. Organizations in the Asia-Pacific region are particularly at risk and should remain vigilant against phishing attempts and ensure robust endpoint protection measures are in place.

Cybersecurity Solutions

To counter threats like those posed by Earth Preta, organizations should adopt advanced cybersecurity solutions. GrackerAI provides comprehensive services, including real-time monitoring of cybersecurity vulnerabilities, AI-powered content generation, smart analysis of industry trends, and 24/7 surveillance with customized alert notifications. Explore how GrackerAI can automate your cybersecurity marketing, delivering daily news, SEO-optimized blogs, AI copilot assistance, newsletters, and more. Start your FREE trial today at GrackerAI

Abhimanyu Singh
Abhimanyu Singh

Engineering Manager

 

Engineering Manager driving innovation in AI-powered SEO automation. Leads the development of systems that automatically build and maintain scalable SEO portals from Google Search Console data. Oversees the design and delivery of automation pipelines that replace traditional $360K/year content teams—aligning engineering execution with business outcomes.

Related Articles

social media aggregators

How Social Media Aggregators Drive B2B Engagement and SEO Results

Learn how social media aggregators drive B2B engagement, boost SEO rankings, build trust with social proof, and enhance brand visibility.

By Ankit Agarwal September 13, 2025 3 min read
Read full article
website authority

How to Check a Website’s Authority Before Building Links

Learn how to check website authority before link building. Discover DA, DR, spam score, and tips to build safe, high-quality backlinks.

By Nikita Shekhawat September 13, 2025 4 min read
Read full article
Vimeo pricing 2025

Vimeo Pricing Compared: 2025 Breakdown & The Smartest Alternatives

Compare Vimeo’s 2025 pricing with top video hosting alternatives. See features, costs, and best options for creators, marketers, and businesses.

By Ankit Agarwal September 13, 2025 11 min read
Read full article

10 SEO Conferences to Attend in 2025

Boost your SEO skills! Explore 10 essential conferences for 2025 to learn from experts, gain actionable insights, and grow your network.

By Lydia Havens September 13, 2025 17 min read
Read full article