Hackers Exploit MAVInject.exe to Evade Detection – What You Need to Know

In a recent cybersecurity revelation, Chinese state-sponsored hackers—specifically the group known as Mustang Panda—have been found exploiting MAVInject.exe, a legitimate Windows system utility, to inject malicious code into running processes. This sophisticated attack method enables them to evade detection while compromising high-value targets.

With cyber threats becoming more sophisticated, it’s essential to understand how attackers leverage built-in system tools to bypass security mechanisms and what organizations can do to protect themselves.

What is MAVInject.exe and Why is it Being Used?

MAVInject.exe (Microsoft Application Virtualization Injector) is a Windows-native tool that is part of Microsoft’s Application Virtualization (App-V) framework. It allows software to inject code into running processes—primarily to facilitate application virtualization.

While this tool has legitimate administrative uses, attackers have learned to exploit it as a method of executing malicious payloads while bypassing traditional security solutions such as endpoint detection and response (EDR) systems.

This technique falls under the "Living Off the Land Binaries and Scripts" (LOLBAS) strategy, where cybercriminals abuse legitimate system tools to conduct malicious activities. By doing so, attackers reduce the likelihood of raising red flags, as MAVInject.exe is already trusted by Windows security protocols.

How Does the Attack Work?

Mustang Panda has deployed a multi-stage attack that begins with a dropper, "IRSetup.exe," that introduces several malicious components into the targeted system. Below is a breakdown of how this technique works:

1. Initial Infection & Dropper Execution

• The attack starts when a user is tricked into executing IRSetup.exe—a Trojanized installer that drops multiple files, including a decoy PDF document to distract the victim.
• This strategy is commonly used in spear-phishing attacks, where threat actors send convincing emails with infected attachments or links.

2. DLL Sideloading via a Legitimate Application

• To avoid raising suspicion, the attackers use OriginLegacyCLI.exe (a legitimate Electronic Arts gaming application) to sideload a malicious DLL named EACore.dll.
• DLL sideloading is a technique where attackers place a malicious DLL in the same directory as a trusted executable, tricking Windows into loading the malicious version instead of the legitimate one.
• In this case, the rogue DLL contains TONESHELL, a backdoor malware previously linked to Mustang Panda operations.

3. Detection of Security Software (Targeting ESET)

• The malware specifically looks for the presence of ESET security processes such as:
  • ekrn.exe (ESET’s main security service)
  • egui.exe (ESET’s graphical user interface)
• If these processes are detected, the malware adjusts its execution strategy to bypass them, demonstrating its adaptability.

4. MAVInject.exe for Code Injection

• Once the malware ensures it can operate undetected, it uses MAVInject.exe to inject malicious payloads into waitfor.exe (a legitimate Windows process).
• By doing this, the malicious code runs under a trusted system process, hiding its presence from security software.
• This process injection technique is highly effective in evading behavioral analysis performed by modern endpoint security solutions.

Why This Attack is a Big Deal

1. Advanced Evasion Techniques

Mustang Panda’s use of MAVInject.exe, DLL sideloading, and process injection makes this attack highly evasive. Traditional antivirus and signature-based security tools are unlikely to detect such an attack because the execution path appears legitimate.

2. Focus on Targeted Attacks

Mustang Panda is known for targeting government organizations, NGOs, think tanks, and research institutions—particularly those involved in geopolitical affairs. These attacks are not random but highly targeted.

3. Increasing Abuse of LOLBAS Tools

Security experts have observed a growing trend in hackers abusing built-in Windows tools (such as PowerShell, WMIC, and now MAVInject.exe). This method, called Living Off the Land (LotL) attacks, makes it incredibly difficult to detect malicious activity without deep behavioral analysis.

How to Protect Against This Attack

Given the sophistication of this attack, organizations must take a multi-layered approach to cybersecurity. Here are key recommendations to mitigate this type of threat:

1. Monitor System Utilities and LOLBAS Activity

• Implement behavioral analysis-based security tools that monitor suspicious process injection attempts and unauthorized use of MAVInject.exe.
• Regularly audit and restrict access to LOLBAS binaries to prevent unauthorized execution.

2. Deploy Advanced Endpoint Protection

• Traditional antivirus software is not enough. Deploy Endpoint Detection and Response (EDR) solutions that analyze process behavior and identify anomalous activity in real time.
• Configure security information and event management (SIEM) tools to detect unusual process execution patterns.

3. Implement Application Control & Least Privilege

• Use Application Whitelisting to restrict the execution of unknown software.
• Ensure users operate under least privilege principles to prevent unauthorized modifications to system files.

4. Strengthen Email & Phishing Defenses

• Since the initial attack vector is likely phishing, organizations should:
  • Train employees to identify malicious emails.
  • Implement email security solutions that block malicious attachments and links.
  • Use multi-factor authentication (MFA) to prevent credential theft from phishing attacks.

5. Keep Software & Security Tools Updated

• Ensure all security solutions, Windows OS, and third-party applications are updated with the latest patches.
• Disable unused services and tighten Windows security configurations.

Conclusion: Stay Vigilant Against Emerging Threats

The recent discovery of Mustang Panda's MAVInject.exe abuse highlights the evolving nature of cyber threats. As attackers become more sophisticated in bypassing traditional security measures, organizations must stay ahead by adopting proactive cybersecurity strategies.

Key Takeaways:

✔️ Hackers are using MAVInject.exe to inject malicious code and avoid detection.
✔️ The attack uses DLL sideloading, process injection, and ESET detection bypass techniques.
✔️ Traditional antivirus is ineffective against these techniques—advanced behavioral detection is required.
✔️ Organizations must monitor LOLBAS tools, deploy EDR solutions, and improve phishing defenses to stay protected.

Cybersecurity is a continuous battle—staying informed and proactive is the only way to defend against advanced threats like this one.