Hodur

Malware Profile Updated 3 months ago

Download STIX

Preview STIX

Hodur is a sophisticated malware variant of Korplug (also known as PlugX), often deployed by China-aligned threat actors, such as the Mustang Panda group. The malware is designed to exploit and damage computer systems, typically infiltrating through suspicious downloads, emails, or websites. Once inside a system, Hodur can steal personal information, disrupt operations, or even hold data hostage for ransom. This malicious software has been found to transition from another malware type called DOPLUGS, indicating an evolution in its deployment strategy. In December 2022, cybersecurity firm Avast disclosed a series of attacks targeting government agencies and political NGOs in Myanmar. The attackers used Hodur and a Google Drive uploader utility to exfiltrate sensitive data, including email dumps, files, court hearings, interrogation reports, and meeting transcripts. This marked a significant escalation in the use of Hodur, demonstrating its capability to facilitate large-scale, targeted data breaches. A distinguishing feature of the Hodur variant is its dual-category command and control (C&C) servers. One server functions as a regular C&C server, receiving backdoor commands, while the second is designed to download payloads for process injection in svchost.exe. This dual-server structure enhances the malware's communication capabilities, making it more versatile and potent. The KillSomeOne + Hodur variant serves as a notable example of this advanced functionality.

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
PlugX	2	PlugX is a notorious malware, typically associated with Chinese threat actors, that has been used in various cyberattacks. This malicious software infiltrates systems through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data for ransom. It
Doplugs	1	DOPLUGS is a variant of the PlugX malware, developed and deployed by the China-linked Advanced Persistent Threat (APT) group Mustang Panda. Active since 2022, this unique malware has been used in targeted campaigns against various Asian countries including Taiwan, Vietnam, India, Japan, and China. U
Killsomeone + Hodur	1	None
Korplug	1	Korplug, also known as PlugX, is a type of malware developed and utilized by the China-aligned Advanced Persistent Threat (APT) group, Mustang Panda. This malicious software is designed to infiltrate computer systems without detection, often through suspicious downloads, emails, or websites. Once in

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Backdoor

Associated Malware

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
svchost.exe	Unspecified	1	Svchost.exe is a malware that exploits and damages computer systems by injecting malicious code into various processes. This harmful program can infiltrate your system through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, di
Killsomeone	Unspecified	1	KillSomeOne is a highly potent malware that has been integrated with various variants of the PlugX malware, a notorious backdoor Trojan. The first variant of this integration was discovered in 2018, as part of a DOPLUGS variant, which showcased the KillSomeOne module's capabilities. This malware ope

Associated Threat Actors

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Mustang Panda	Unspecified	1	Mustang Panda, also known as Bronze President, Nomad Panda, Naikon, Earth Preta, and Stately Taurus, is a Chinese-aligned threat actor that has been associated with widespread attacks against various countries in the Asia-Pacific region. The group's malicious activities were first traced back to Mar

Associated Vulnerabilities

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Source Document References

Information about the Hodur Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source	CreatedAt	Title
CERT-EU	10 months ago	Operation Jacana: They’re taking the hobbits to Guyana
CERT-EU	a year ago	Chinese Hackers Targeting European Entities with New MQsTTang Backdoor
Trend Micro	5 months ago	Earth Preta Campaign Uses DOPLUGS to Target Asia
CERT-EU	a year ago	Chinese Hackers Targeting European Entities with New MQsTTang Backdoor \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker - National Cyber Security Consulting