KEYPLUG

Malware updated 2 months ago (2024-09-11T09:18:09.616Z)
Download STIX
Preview STIX
KeyPlug is a sophisticated malware developed by APT41, also known as the Chinese RedGolf Group. It's written in C++ and supports multiple network protocols for command and control (C2) traffic, including HTTP, TCP, KCP over UDP, and WSS. The malware was primarily used to target Windows systems, specifically state government entities between June 2021 and December 2021. However, its reach extended to Linux systems as well, with a new variant, KEYPLUG.LINUX, being deployed on Linux servers at various victims. The deployment of the Linux version of KeyPlug followed closely after the state government campaign, indicating a significant shift in targets. The malware has been associated with numerous attacks, including those against Italian industries. It is designed to exploit unpatched vulnerabilities in both Windows and Linux systems. Despite Linux's robust security, systems that have not been updated for an extended period are susceptible to this backdoor attack. Notably, KeyPlug uses a custom algorithm for hashing the names of the APIs to dynamically load in the first part of the shellcode. There have been hypotheses linking KeyPlug malware to the Hector leak, although these claims lack direct evidence and therefore remain speculative. Regardless, KeyPlug remains a substantial threat due to its modular design and ability to use various protocols like TCP, UDP, WSS, HTTP, QUIC, making it a versatile tool for cyber espionage and data theft.
Description last updated: 2024-09-11T09:16:36.817Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
APT41 is a possible alias for KEYPLUG. APT41, also known as Winnti, is a threat actor suspected to be originating from China, with its activities dating back to as early as 2012. It has targeted organizations in at least 14 countries and has been associated with the use of at least 46 different code families and tools. The group's activi
4
Luadream is a possible alias for KEYPLUG. LuaDream is a type of malware, specifically designed to exploit and damage computer systems or devices. This malicious software infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, disrupt operations, or
2
Redgolf is a possible alias for KEYPLUG. RedGolf, a Chinese state-sponsored threat activity group, has been actively targeting Windows and Linux systems with the KEYPLUG backdoor. This group's activities have been closely associated with other threat groups including APT41, Wicked Panda, Bronze Atlas, and Barium. The first known use of the
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Backdoor
Linux
Windows
Chinese
Apt
Encryption
Proxy
State Sponso...
Implant
Rat
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The PlugX Malware is associated with KEYPLUG. PlugX is a Remote Access Trojan (RAT) malware known for its stealthy operations and destructive capabilities. It is often used by threat actors to exploit and damage computer systems, steal personal information, disrupt operations, or hold data hostage for ransom. Its deployment has been linked to sUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Tick Threat Actor is associated with KEYPLUG. Tick, also known as BRONZE BUTLER, is a threat actor believed to originate from the People's Republic of China. This group has been linked to cyber-espionage activities and is known for deploying a variety of tools and malware families in their operations. Secureworks® incident responders and CounteUnspecified
2
Source Document References
Information about the KEYPLUG Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Yori
2 months ago
Yori
2 months ago
Securityaffairs
3 months ago
Securityaffairs
4 months ago
Securityaffairs
4 months ago
Securityaffairs
4 months ago
Securityaffairs
4 months ago
Securityaffairs
4 months ago
Securityaffairs
5 months ago
Securityaffairs
5 months ago
Securityaffairs
5 months ago
Securityaffairs
6 months ago
Securityaffairs
6 months ago
CERT-EU
8 months ago
CERT-EU
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago
CERT-EU
a year ago
CERT-EU
a year ago
MITRE
a year ago