Doplugs

Malware updated 23 days ago (2024-11-29T14:08:59.629Z)
Download STIX
Preview STIX
DOPLUGS is a variant of the PlugX malware, developed and deployed by the China-linked Advanced Persistent Threat (APT) group Mustang Panda. Active since 2022, this unique malware has been used in targeted campaigns against various Asian countries including Taiwan, Vietnam, India, Japan, and China. Unlike the standard PlugX backdoor, DOPLUGS includes a completed backdoor command module and acts as a downloader supporting four backdoor commands. This customized version of PlugX has been found to be distinct from the general type, leading researchers to assign it a new name: DOPLUGS. The threat actors have employed spear-phishing emails containing a Google Drive link to distribute the DOPLUGS malware. These links host a password-protected archive file that, when downloaded, installs the DOPLUGS malware on the victim's system. In the course of their investigation, researchers discovered a DOPLUGS variant with an integrated KillSomeOne module, a feature that enables USB-based malware delivery and data exfiltration. This particular variant can be traced back to as early as 2018. The deployment of DOPLUGS was reported by several cybersecurity research firms including Secureworks, Recorded Future, Check Point, and Lab52. The malware's unique RC4 algorithm implementation for PlugX decryption was noted by Lab52 researchers after Taiwanese government and political organizations were targeted. Notably, some DOPLUGS samples were found to include the KillSomeOne module, marking a significant evolution in its functionality. According to a report from Trend Micro, DOPLUGS also features a separate launcher that facilitates DLL sideloading, command execution, and next-stage malware deployment.
Description last updated: 2024-05-04T21:09:10.781Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
PlugX is a possible alias for Doplugs. PlugX is a Remote Access Trojan (RAT) malware known for its stealthy operations and destructive capabilities. It is often used by threat actors to exploit and damage computer systems, steal personal information, disrupt operations, or hold data hostage for ransom. Its deployment has been linked to s
3
Korplug is a possible alias for Doplugs. Korplug, also known as PlugX, is a type of malware developed and utilized by the China-aligned Advanced Persistent Threat (APT) group, Mustang Panda. This malicious software is designed to infiltrate computer systems without detection, often through suspicious downloads, emails, or websites. Once in
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Backdoor
Malware
Apt
Phishing
Downloader
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Killsomeone Malware is associated with Doplugs. KillSomeOne is a highly potent malware that has been integrated with various variants of the PlugX malware, a notorious backdoor Trojan. The first variant of this integration was discovered in 2018, as part of a DOPLUGS variant, which showcased the KillSomeOne module's capabilities. This malware opeUnspecified
3
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Mustang Panda Threat Actor is associated with Doplugs. Mustang Panda, a China-aligned Advanced Persistent Threat (APT) group, has been identified as a significant cyber threat actor involved in a series of malicious activities. Notably, Mustang Panda was found to be associated with the BRONZE PRESIDENT phishing lure, which delivered PlugX and used modifUnspecified
2
The Earth Preta Threat Actor is associated with Doplugs. Earth Preta, also known as Mustang Panda or Stately Taurus, is a high-profile threat actor group that has been actively executing cyberattacks with malicious intent. Their activities have been particularly prevalent in the Asia Pacific (APAC) region and Europe. The group employs a variety of tools aUnspecified
2
Source Document References
Information about the Doplugs Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more