KEYPLUG

Malware updated 25 days ago (2024-08-14T09:48:19.789Z)

Download STIX

Preview STIX

KeyPlug is a malicious software (malware) primarily targeting Windows and Linux systems. The malware, written in C++, is a modular backdoor that supports multiple network protocols for command and control traffic, including HTTP, TCP, KCP over UDP, and WSS. It was first reported in March 2023 when the Chinese RedGolf Group started using it to exploit long-unpatched systems, particularly those running on Windows. Despite its association with the Windows operating system, the issue lies not with Linux itself but with these outdated, unsecured systems. The Advanced Persistent Threat group APT41 heavily utilized KeyPlug against state government victims from June to December 2021. Notably, following this campaign, they deployed a ported version of the backdoor, marking a significant development in their operations. Furthermore, a new variant of KeyPlug, known as KEYPLUG.LINUX, was introduced by APT41 on Linux servers across multiple victims. This malware sub-family has now been identified and is being tracked due to its potential threat. Italian industries have also been targeted by KeyPlug, with APT41 posing a significant threat. While Sandman, another suspected China-based adversary, has been associated with the use of KeyPlug, SentinelLabs continues to track Sandman as a distinct cluster until further conclusive information suggests otherwise. As such, the situation remains dynamic and requires ongoing monitoring to prevent further exploitation and damage.

Description last updated: 2024-08-14T08:46:44.966Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
APT41	4	APT41, a threat actor attributed to China, has been actively targeting organizations in at least 14 countries since 2012. The group is known for its use of an extensive range of malware, with at least 46 different code families and tools observed in their operations. They are associated with various
Luadream	2	LuaDream is a type of malware, specifically designed to exploit and damage computer systems or devices. This malicious software infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, disrupt operations, or
Redgolf	2	RedGolf, a Chinese state-sponsored threat activity group, has been actively targeting Windows and Linux systems with the KEYPLUG backdoor. This group's activities have been closely associated with other threat groups including APT41, Wicked Panda, Bronze Atlas, and Barium. The first known use of the

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Backdoor

Malware

Windows

Linux

Chinese

Proxy

Apt

Encryption

State Sponso...

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

ID	Type	Votes	Profile Description
PlugX	Unspecified	2	PlugX is a notorious malware known for its harmful capabilities and stealthy operations. Often used by the Winnti group, it has been linked to various cyber-attacks, leveraging DLL side-loading to remain undetected. This technique allows it to infiltrate systems without raising alarms, making it an

Source Document References

Information about the KEYPLUG Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Securityaffairs	a month ago	SECURITY AFFAIRS MALWARE NEWSLETTER – ROUND 6
Securityaffairs	a month ago	security-affairs-malware-newsletter-round-5
Securityaffairs	2 months ago	Security Affairs Malware Newsletter - Round 3
Securityaffairs	2 months ago	Security Affairs Malware Newsletter - Round 3
Securityaffairs	2 months ago	Security Affairs Malware Newsletter - Round 2
Securityaffairs	2 months ago	Security Affairs Malware Newsletter - Round 1
Securityaffairs	2 months ago	Security Affairs newsletter Round 478 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	3 months ago	Security Affairs newsletter Round 477 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	3 months ago	Security Affairs newsletter Round 476 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	3 months ago	Security Affairs newsletter Round 473 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	3 months ago	APT41: The threat of KeyPlug against Italian industries
CERT-EU	6 months ago	12 Months of Fighting Cybercrime & Defending Enterprises \| #cybercrime \| #infosec \| National Cyber Security Consulting
CERT-EU	a year ago	Links 31/03/2023: Mozilla Turns 25 and OpenMandriva 23.03
CERT-EU	a year ago	NATO countries targeted by Winter Vivern via Zimbra vulnerability
CERT-EU	a year ago	Windows, Linux systems subjected to Chinese state-backed cyberattacks
CERT-EU	9 months ago	Sandman APT tied to Chinese hacking operations
CERT-EU	9 months ago	Report Sees Chinese Threat Actors Embracing Sandman APT
MITRE	9 months ago	A Summary of APT41 Targeting U.S. State Governments
CERT-EU	9 months ago	Sandman Cyberespionage Group Linked to China
CERT-EU	9 months ago	Sandman APT - China-based adversaries embrace Lua – Global Security Mag Online