Killsomeone

Malware Profile Updated 3 months ago

Download STIX

Preview STIX

KillSomeOne is a highly potent malware that has been integrated with various variants of the PlugX malware, a notorious backdoor Trojan. The first variant of this integration was discovered in 2018, as part of a DOPLUGS variant, which showcased the KillSomeOne module's capabilities. This malware operates by infecting systems through suspicious downloads, emails, or websites and can cause significant damage by stealing personal information, disrupting operations, or holding data for ransom. An interesting feature of the KillSomeOne + Hodur variant is its use of two types of C&C servers: one for receiving backdoor commands and another for downloading payloads for process injection in svchost.exe. The KillSomeOne module has undergone several stages of evolution, each time integrating with different types of PlugX malware. These integrations have resulted in an array of variants, each more sophisticated than the last. One such example is the first PlugX variant featuring the KillSomeOne module designed specifically for spreading via USB, as mentioned in Avira’s report. Moreover, the module specializes in USB infections, indicating a unique propagation method compared to other malware. In terms of behavior, the KillSomeOne thread exhibits two major traits. Firstly, it removes all traces related to previous instances of PlugX malware, including files, processes, registries, and scheduled tasks. This behavior indicates a high level of sophistication and stealth, enabling the malware to evade detection and removal. Furthermore, continuous hunting efforts have revealed several customized PlugX malware samples equipped with the KillSomeOne module, suggesting that this dangerous combination continues to evolve and pose threats to cybersecurity.

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
PlugX	2	PlugX is a notorious malware, typically associated with Chinese threat actors, that has been used in various cyberattacks. This malicious software infiltrates systems through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data for ransom. It

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Worm

Backdoor

Associated Malware

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Doplugs	Unspecified	3	DOPLUGS is a variant of the PlugX malware, developed and deployed by the China-linked Advanced Persistent Threat (APT) group Mustang Panda. Active since 2022, this unique malware has been used in targeted campaigns against various Asian countries including Taiwan, Vietnam, India, Japan, and China. U
Hodur	Unspecified	1	Hodur is a sophisticated malware variant of Korplug (also known as PlugX), often deployed by China-aligned threat actors, such as the Mustang Panda group. The malware is designed to exploit and damage computer systems, typically infiltrating through suspicious downloads, emails, or websites. Once in
Killsomeone + Hodur	Unspecified	1	None
svchost.exe	Unspecified	1	Svchost.exe is a malware that exploits and damages computer systems by injecting malicious code into various processes. This harmful program can infiltrate your system through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, di

Associated Threat Actors

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Earth Preta	Unspecified	1	Earth Preta, also known as Mustang Panda, Bronze President, TA416, RedDelta, and Stately Taurus, is a prominent threat actor group that has been operational since at least 2012. The group has been highly active in Europe and Asia, employing a variety of tools and malware for their malicious activiti

Associated Vulnerabilities

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Source Document References

Information about the Killsomeone Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source	CreatedAt	Title
Trend Micro	5 months ago	Earth Preta Campaign Uses DOPLUGS to Target Asia
CERT-EU	5 months ago	Sophisticated PlugX backdoor variant leveraged in Mustang Panda attacks
Securityaffairs	5 months ago	New Mustang Panda campaign targets Asia with a backdoor dubbed DOPLUGS