Hodur

Hodur is a sophisticated malware variant of Korplug (also known as PlugX), often deployed by China-aligned threat actors, such as the Mustang Panda group. The malware is designed to exploit and damage computer systems, typically infiltrating through suspicious downloads, emails, or websites. Once inside a system, Hodur can steal personal information, disrupt operations, or even hold data hostage for ransom. This malicious software has been found to transition from another malware type called DOPLUGS, indicating an evolution in its deployment strategy. In December 2022, cybersecurity firm Avast disclosed a series of attacks targeting government agencies and political NGOs in Myanmar. The attackers used Hodur and a Google Drive uploader utility to exfiltrate sensitive data, including email dumps, files, court hearings, interrogation reports, and meeting transcripts. This marked a significant escalation in the use of Hodur, demonstrating its capability to facilitate large-scale, targeted data breaches. A distinguishing feature of the Hodur variant is its dual-category command and control (C&C) servers. One server functions as a regular C&C server, receiving backdoor commands, while the second is designed to download payloads for process injection in svchost.exe. This dual-server structure enhances the malware's communication capabilities, making it more versatile and potent. The KillSomeOne + Hodur variant serves as a notable example of this advanced functionality.