The Mustang Panda APT group loads the PlugX malware in the memory of legitimate software by employing a four-stage infection chain that leverages malicious shortcut (LNK) files, triggering execution via DLL search-order-hijacking.