Killsomeone

Malware updated 5 months ago (2024-05-04T21:17:59.847Z)

Download STIX

Preview STIX

KillSomeOne is a highly potent malware that has been integrated with various variants of the PlugX malware, a notorious backdoor Trojan. The first variant of this integration was discovered in 2018, as part of a DOPLUGS variant, which showcased the KillSomeOne module's capabilities. This malware operates by infecting systems through suspicious downloads, emails, or websites and can cause significant damage by stealing personal information, disrupting operations, or holding data for ransom. An interesting feature of the KillSomeOne + Hodur variant is its use of two types of C&C servers: one for receiving backdoor commands and another for downloading payloads for process injection in svchost.exe. The KillSomeOne module has undergone several stages of evolution, each time integrating with different types of PlugX malware. These integrations have resulted in an array of variants, each more sophisticated than the last. One such example is the first PlugX variant featuring the KillSomeOne module designed specifically for spreading via USB, as mentioned in Avira’s report. Moreover, the module specializes in USB infections, indicating a unique propagation method compared to other malware. In terms of behavior, the KillSomeOne thread exhibits two major traits. Firstly, it removes all traces related to previous instances of PlugX malware, including files, processes, registries, and scheduled tasks. This behavior indicates a high level of sophistication and stealth, enabling the malware to evade detection and removal. Furthermore, continuous hunting efforts have revealed several customized PlugX malware samples equipped with the KillSomeOne module, suggesting that this dangerous combination continues to evolve and pose threats to cybersecurity.

Description last updated: 2024-05-04T21:09:11.981Z

What's your take? (Question 1 of 4)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
PlugX is a possible alias for Killsomeone. PlugX is a Remote Access Trojan (RAT) malware known for its stealthy operations and destructive capabilities. It is often used by threat actors to exploit and damage computer systems, steal personal information, disrupt operations, or hold data hostage for ransom. Its deployment has been linked to s	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Worm

Backdoor

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Doplugs Malware is associated with Killsomeone. DOPLUGS is a variant of the PlugX malware, developed and deployed by the China-linked Advanced Persistent Threat (APT) group Mustang Panda. Active since 2022, this unique malware has been used in targeted campaigns against various Asian countries including Taiwan, Vietnam, India, Japan, and China. U	Unspecified	3

Source Document References

Information about the Killsomeone Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Trend Micro	8 months ago	Earth Preta Campaign Uses DOPLUGS to Target Asia
CERT-EU	8 months ago	Sophisticated PlugX backdoor variant leveraged in Mustang Panda attacks
Securityaffairs	8 months ago	New Mustang Panda campaign targets Asia with a backdoor dubbed DOPLUGS