Mustang Panda Attacking Windows Users With ToneShell Malware Mimic as Google Chrome

A sophisticated new cyber campaign has emerged targeting Windows users through a deceptive malware variant known as ToneShell, which masquerades as the legitimate Google Chrome browser.

The advanced persistent threat (APT) group Mustang Panda, known for its strategic targeting of government and technology sectors, has deployed this latest tool as part of an ongoing espionage operation designed to infiltrate corporate networks and steal sensitive information.

The malware campaign leverages social engineering techniques to distribute ToneShell through compromised websites and phishing emails, often presenting itself as a Chrome browser update or installation package.

Initial infection vectors include malicious email attachments disguised as legitimate software installers and drive-by downloads from compromised websites that redirect users to fake Chrome download pages.

CREST Registered Threat Intelligence Analyst’s Phyo Paing Htun, Zaw Min Htun and Kyaw Pyiyt Htet (Mikoyan) noted that ToneShell exhibits sophisticated evasion capabilities, utilizing process hollowing techniques to inject malicious code into legitimate system processes while maintaining the appearance of normal Chrome browser activity.

The malware establishes persistence through registry modifications and scheduled task creation, ensuring continued access even after system reboots.

The impact of this campaign extends beyond individual users, as ToneShell functions as a backdoor enabling remote access, data exfiltration, and lateral movement within compromised networks.

Organizations across multiple sectors have reported suspicious network activity consistent with Mustang Panda’s operational patterns, including unauthorized data transfers and reconnaissance activities targeting intellectual property and government communications.

Infection Mechanism and Payload Delivery

ToneShell employs a multi-stage deployment process that begins with a dropper component designed to evade endpoint detection systems.

Upon execution, the malware creates a hollowed Chrome process and injects its payload using the following technique:-

HANDLE hProcess = CreateProcess(L"chrome.exe", NULL, NULL, NULL, 
    FALSE, CREATE_SUSPENDED, NULL, NULL, &si, &pi);
VirtualAllocEx(hProcess, NULL, payload_size, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
WriteProcessMemory(hProcess, allocated_memory, malicious_payload, payload_size, NULL);

The malware establishes communication with command and control servers through encrypted channels, mimicking legitimate Chrome network traffic patterns.

This sophisticated approach allows ToneShell to remain undetected while maintaining persistent access to compromised systems, highlighting the evolving threat landscape facing Windows users and organizations worldwide.

Equip your SOC with full access to the latest threat data from ANY.RUN TI Lookup that can Improve incident response -> Get 14-day Free Trial