Doplugs

Malware updated 4 months ago (2024-05-04T21:18:06.009Z)
Download STIX
Preview STIX
DOPLUGS is a variant of the PlugX malware, developed and deployed by the China-linked Advanced Persistent Threat (APT) group Mustang Panda. Active since 2022, this unique malware has been used in targeted campaigns against various Asian countries including Taiwan, Vietnam, India, Japan, and China. Unlike the standard PlugX backdoor, DOPLUGS includes a completed backdoor command module and acts as a downloader supporting four backdoor commands. This customized version of PlugX has been found to be distinct from the general type, leading researchers to assign it a new name: DOPLUGS. The threat actors have employed spear-phishing emails containing a Google Drive link to distribute the DOPLUGS malware. These links host a password-protected archive file that, when downloaded, installs the DOPLUGS malware on the victim's system. In the course of their investigation, researchers discovered a DOPLUGS variant with an integrated KillSomeOne module, a feature that enables USB-based malware delivery and data exfiltration. This particular variant can be traced back to as early as 2018. The deployment of DOPLUGS was reported by several cybersecurity research firms including Secureworks, Recorded Future, Check Point, and Lab52. The malware's unique RC4 algorithm implementation for PlugX decryption was noted by Lab52 researchers after Taiwanese government and political organizations were targeted. Notably, some DOPLUGS samples were found to include the KillSomeOne module, marking a significant evolution in its functionality. According to a report from Trend Micro, DOPLUGS also features a separate launcher that facilitates DLL sideloading, command execution, and next-stage malware deployment.
Description last updated: 2024-05-04T21:09:10.781Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
PlugX
3
PlugX is a notorious malware known for its harmful capabilities and stealthy operations. Often used by the Winnti group, it has been linked to various cyber-attacks, leveraging DLL side-loading to remain undetected. This technique allows it to infiltrate systems without raising alarms, making it an
Korplug
2
Korplug, also known as PlugX, is a type of malware developed and utilized by the China-aligned Advanced Persistent Threat (APT) group, Mustang Panda. This malicious software is designed to infiltrate computer systems without detection, often through suspicious downloads, emails, or websites. Once in
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Backdoor
Malware
Apt
Phishing
Downloader
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
IDTypeVotesProfile Description
KillsomeoneUnspecified
3
KillSomeOne is a highly potent malware that has been integrated with various variants of the PlugX malware, a notorious backdoor Trojan. The first variant of this integration was discovered in 2018, as part of a DOPLUGS variant, which showcased the KillSomeOne module's capabilities. This malware ope
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
IDTypeVotesProfile Description
Mustang PandaUnspecified
2
Mustang Panda, also known as Bronze President, Nomad Panda, Naikon, Earth Preta, and Stately Taurus, is a Chinese-aligned threat actor that has been associated with widespread attacks against various countries in the Asia-Pacific region. The group's malicious activities were first traced back to Mar
Earth PretaUnspecified
2
Earth Preta, also known as Mustang Panda, Bronze President, TA416, RedDelta, and Stately Taurus, is a prominent threat actor group that has been operational since at least 2012. The group has been highly active in Europe and Asia, employing a variety of tools and malware for their malicious activiti
Source Document References
Information about the Doplugs Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
CERT-EU
7 months ago
Sophisticated PlugX backdoor variant leveraged in Mustang Panda attacks
CERT-EU
7 months ago
Earth Preta Hackers Abuses Google Drive to Deploy DOPLUGS Malware
CERT-EU
7 months ago
New Mustang Panda campaign targets Asia with a backdoor dubbed DOPLUGS
Securityaffairs
7 months ago
New Mustang Panda campaign targets Asia with a backdoor dubbed DOPLUGS
Trend Micro
7 months ago
Earth Preta Campaign Uses DOPLUGS to Target Asia