Hodur

Malware Profile Updated 23 days ago
Download STIX
Preview STIX
Hodur is a sophisticated malware variant of Korplug (also known as PlugX), often deployed by China-aligned threat actors, such as the Mustang Panda group. The malware is designed to exploit and damage computer systems, typically infiltrating through suspicious downloads, emails, or websites. Once inside a system, Hodur can steal personal information, disrupt operations, or even hold data hostage for ransom. This malicious software has been found to transition from another malware type called DOPLUGS, indicating an evolution in its deployment strategy. In December 2022, cybersecurity firm Avast disclosed a series of attacks targeting government agencies and political NGOs in Myanmar. The attackers used Hodur and a Google Drive uploader utility to exfiltrate sensitive data, including email dumps, files, court hearings, interrogation reports, and meeting transcripts. This marked a significant escalation in the use of Hodur, demonstrating its capability to facilitate large-scale, targeted data breaches. A distinguishing feature of the Hodur variant is its dual-category command and control (C&C) servers. One server functions as a regular C&C server, receiving backdoor commands, while the second is designed to download payloads for process injection in svchost.exe. This dual-server structure enhances the malware's communication capabilities, making it more versatile and potent. The KillSomeOne + Hodur variant serves as a notable example of this advanced functionality.
What's your take? (Question 1 of 0)
aaa438bb-1f48-42a1-ac2e-4603f2a7e317 Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
PlugX
2
PlugX is a notorious malware, often used by various threat groups in their cyberattacks. It has been linked to several high-profile activities, such as those of the Winnti group and the LockFile ransomware activity. This Remote Access Trojan (RAT) employs sophisticated techniques like DLL side-loadi
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Hodur Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Trend Micro
3 months ago
Earth Preta Campaign Uses DOPLUGS to Target Asia
CERT-EU
8 months ago
Operation Jacana: They’re taking the hobbits to Guyana
CERT-EU
a year ago
Chinese Hackers Targeting European Entities with New MQsTTang Backdoor
CERT-EU
a year ago
Chinese Hackers Targeting European Entities with New MQsTTang Backdoor | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker - National Cyber Security Consulting