Mustang Panda Uses LNK, PowerShell Chain to Deploy PlugX RAT

The report describes a Mustang Panda campaign delivering the PlugX remote access trojan via a multi‑stage loader: a malicious LNK triggers hidden PowerShell to drop a fake "Browser_Updater.exe" and an MSI that installs a signed G DATA executable (Avk.exe) alongside a malicious Avk.dll and an encrypted payload. The DLL uses runtime API hashing and registers RWX payloads to sidestep detection; the payload decrypts layered blobs, maps and relocates a PlugX PE in memory, achieves persistence by copying files into %PUBLIC%\GData and adding a Run key, and beacons over HTTPS to a hard‑coded C2 (observed fruitbrat.com) with cookie‑based identifiers. The analysis includes TTPs, registry and mutex behaviors, network indicators, and procedural details useful for detection and response.