Malware Profile Updated 24 days ago
Download STIX
Preview STIX
KillSomeOne is a highly potent malware that has been integrated with various variants of the PlugX malware, a notorious backdoor Trojan. The first variant of this integration was discovered in 2018, as part of a DOPLUGS variant, which showcased the KillSomeOne module's capabilities. This malware operates by infecting systems through suspicious downloads, emails, or websites and can cause significant damage by stealing personal information, disrupting operations, or holding data for ransom. An interesting feature of the KillSomeOne + Hodur variant is its use of two types of C&C servers: one for receiving backdoor commands and another for downloading payloads for process injection in svchost.exe. The KillSomeOne module has undergone several stages of evolution, each time integrating with different types of PlugX malware. These integrations have resulted in an array of variants, each more sophisticated than the last. One such example is the first PlugX variant featuring the KillSomeOne module designed specifically for spreading via USB, as mentioned in Avira’s report. Moreover, the module specializes in USB infections, indicating a unique propagation method compared to other malware. In terms of behavior, the KillSomeOne thread exhibits two major traits. Firstly, it removes all traces related to previous instances of PlugX malware, including files, processes, registries, and scheduled tasks. This behavior indicates a high level of sophistication and stealth, enabling the malware to evade detection and removal. Furthermore, continuous hunting efforts have revealed several customized PlugX malware samples equipped with the KillSomeOne module, suggesting that this dangerous combination continues to evolve and pose threats to cybersecurity.
What's your take? (Question 1 of 4)
499572e0-e7da-4bfd-92a8-12e11c01eb6e Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
PlugX is a notorious malware, often used by various threat groups in their cyberattacks. It has been linked to several high-profile activities, such as those of the Winnti group and the LockFile ransomware activity. This Remote Access Trojan (RAT) employs sophisticated techniques like DLL side-loadi
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
DOPLUGS is a variant of the PlugX malware, developed and deployed by the China-linked Advanced Persistent Threat (APT) group Mustang Panda. Active since 2022, this unique malware has been used in targeted campaigns against various Asian countries including Taiwan, Vietnam, India, Japan, and China. U
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Killsomeone Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
Trend Micro
3 months ago
Earth Preta Campaign Uses DOPLUGS to Target Asia
3 months ago
New Mustang Panda campaign targets Asia with a backdoor dubbed DOPLUGS
3 months ago
Sophisticated PlugX backdoor variant leveraged in Mustang Panda attacks