New Microsoft Windows 0-Day Actively Exploited by APT Group Mustang Panda

2025-02-13

A newly discovered UI vulnerability in Microsoft Windows is being actively exploited by the suspected APT group Mustang Panda. This vulnerability involves files extracted from compressed RAR archives becoming hidden from the user. When extracted into a folder, Windows Explorer shows the folder as empty, even though the files are present. However, these files remain accessible and executable via command-line tools.

Exploitation Details

Mustang Panda is leveraging this flaw to conceal malware inside RAR archives, which are then delivered via phishing campaigns or other deceptive methods. Once extracted, these files stay invisible in Windows Explorer but can still be executed to compromise systems.

Commands to Detect and Mitigate

To detect hidden files in a directory, you can use the following command in Command
[cmd]
dir /a
[/cmd]

This command lists all files, including hidden ones.

To remove the hidden attribute from files, use:

[cmd]
attrib -s -h
[/cmd]
Replace `` with the name of the file you want to unhide.

For a more comprehensive scan, you can use PowerShell to list hidden files:

Get-ChildItem -Force

This command will display all files, including hidden and system-protected ones.

What Undercode Say

The exploitation of this Windows 0-day vulnerability by Mustang Panda highlights the importance of staying vigilant against phishing campaigns and understanding how hidden files can be used to compromise systems. Here are some additional commands and practices to enhance your cybersecurity posture:

Regular System Scans: Use tools like Windows Defender or third-party antivirus software to scan for hidden malware.
[cmd]
“C:\Program Files\Windows Defender\MpCmdRun.exe” -Scan -ScanType 2
[/cmd]
Monitor Network Traffic: Use tools like Wireshark or built-in Windows commands to monitor suspicious network activity.
[cmd]
netstat -an
[/cmd]
Enable Auditing: Turn on auditing to track file access and changes.
[cmd]
auditpol /set /subcategory:”File System” /success:enable /failure:enable
[/cmd]
Check for Unusual Processes: Use Task Manager or PowerShell to identify and terminate suspicious processes.
```
Get-Process | Where-Object { $_.CPU -gt 50 }
```
Update and Patch: Ensure your system is up-to-date with the latest security patches.
[cmd]
wuauclt /detectnow /updatenow
[/cmd]
Use Firewall Rules: Configure Windows Firewall to block suspicious inbound and outbound connections.
[cmd]
netsh advfirewall firewall add rule name=”Block Suspicious IP” dir=in action=block remoteip=
[/cmd]
Backup Regularly: Use Windows Backup or third-party tools to create regular backups of critical data.
[cmd]
wbadmin start backup -backupTarget: -include:
[/cmd]
Disable ActiveX: If not needed, disable ActiveX to prevent related vulnerabilities.
[cmd]
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility” /v /t REG_DWORD /d 0x400 /f
[/cmd]
Educate Users: Train users to recognize phishing attempts and avoid opening suspicious attachments.
Use Command-Line Tools: Familiarize yourself with command-line tools like dir, attrib, and `netstat` to detect and mitigate threats manually.

By implementing these practices and commands, you can better protect your systems from similar vulnerabilities and ensure a more secure computing environment. Stay informed about the latest cybersecurity threats and always keep your systems updated. For more details on this vulnerability, refer to Microsoft’s Security Advisory.