Doplugs

Malware updated 7 months ago (2024-05-04T21:18:06.009Z)

Download STIX

Preview STIX

DOPLUGS is a variant of the PlugX malware, developed and deployed by the China-linked Advanced Persistent Threat (APT) group Mustang Panda. Active since 2022, this unique malware has been used in targeted campaigns against various Asian countries including Taiwan, Vietnam, India, Japan, and China. Unlike the standard PlugX backdoor, DOPLUGS includes a completed backdoor command module and acts as a downloader supporting four backdoor commands. This customized version of PlugX has been found to be distinct from the general type, leading researchers to assign it a new name: DOPLUGS. The threat actors have employed spear-phishing emails containing a Google Drive link to distribute the DOPLUGS malware. These links host a password-protected archive file that, when downloaded, installs the DOPLUGS malware on the victim's system. In the course of their investigation, researchers discovered a DOPLUGS variant with an integrated KillSomeOne module, a feature that enables USB-based malware delivery and data exfiltration. This particular variant can be traced back to as early as 2018. The deployment of DOPLUGS was reported by several cybersecurity research firms including Secureworks, Recorded Future, Check Point, and Lab52. The malware's unique RC4 algorithm implementation for PlugX decryption was noted by Lab52 researchers after Taiwanese government and political organizations were targeted. Notably, some DOPLUGS samples were found to include the KillSomeOne module, marking a significant evolution in its functionality. According to a report from Trend Micro, DOPLUGS also features a separate launcher that facilitates DLL sideloading, command execution, and next-stage malware deployment.

Description last updated: 2024-05-04T21:09:10.781Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
PlugX is a possible alias for Doplugs. PlugX is a Remote Access Trojan (RAT) malware known for its stealthy operations and destructive capabilities. It is often used by threat actors to exploit and damage computer systems, steal personal information, disrupt operations, or hold data hostage for ransom. Its deployment has been linked to s	3
Korplug is a possible alias for Doplugs. Korplug, also known as PlugX, is a type of malware developed and utilized by the China-aligned Advanced Persistent Threat (APT) group, Mustang Panda. This malicious software is designed to infiltrate computer systems without detection, often through suspicious downloads, emails, or websites. Once in	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Backdoor

Malware

Apt

Phishing

Downloader

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Killsomeone Malware is associated with Doplugs. KillSomeOne is a highly potent malware that has been integrated with various variants of the PlugX malware, a notorious backdoor Trojan. The first variant of this integration was discovered in 2018, as part of a DOPLUGS variant, which showcased the KillSomeOne module's capabilities. This malware ope	Unspecified	3

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Mustang Panda Threat Actor is associated with Doplugs. Mustang Panda, a China-aligned Advanced Persistent Threat (APT) group, has been identified as a significant cyber threat actor involved in a series of malicious activities. Notably, Mustang Panda was found to be associated with the BRONZE PRESIDENT phishing lure, which delivered PlugX and used modif	Unspecified	2
The Earth Preta Threat Actor is associated with Doplugs. Earth Preta, also known as Mustang Panda or Stately Taurus, is a high-profile threat actor group that has been actively executing cyberattacks with malicious intent. Their activities have been particularly prevalent in the Asia Pacific (APAC) region and Europe. The group employs a variety of tools a	Unspecified	2

Source Document References

Information about the Doplugs Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CERT-EU	9 months ago	Sophisticated PlugX backdoor variant leveraged in Mustang Panda attacks
CERT-EU	9 months ago	Earth Preta Hackers Abuses Google Drive to Deploy DOPLUGS Malware
CERT-EU	9 months ago	New Mustang Panda campaign targets Asia with a backdoor dubbed DOPLUGS
Securityaffairs	9 months ago	New Mustang Panda campaign targets Asia with a backdoor dubbed DOPLUGS
Trend Micro	9 months ago	Earth Preta Campaign Uses DOPLUGS to Target Asia