Korplug

Malware updated 6 months ago (2024-05-25T09:17:32.579Z)
Download STIX
Preview STIX
Korplug, also known as PlugX, is a type of malware developed and utilized by the China-aligned Advanced Persistent Threat (APT) group, Mustang Panda. This malicious software is designed to infiltrate computer systems without detection, often through suspicious downloads, emails, or websites. Once inside a system, it can steal personal information, disrupt operations, or hold data hostage for ransom. The group has been known to target various Asian countries with a variant of this backdoor malware dubbed DOPLUGS. Notably, on February 22, 2024, Mustang Panda launched another such attack. The Korplug loader, a key component of this malware, was written in Nim, a versatile programming language known for its efficiency and flexibility. Several instances of DLL files infected with variants of the Korplug malware were detected, such as BEE0B741142A9C392E05E0443AAE1FA41EF512D6 HPCustPartUI.dll and AB01E099872A094DC779890171A11764DE8B4360 BoomerangLib.dll, among others. These files are typically used as part of the group's classic trident, a strategy further detailed in a WeLiveSecurity article from March 2022. In addition to deploying Korplug, the attackers also utilized other malware, such as DinodasRAT, according to ESET researchers. This multi-pronged approach suggests a sophisticated operation likely conducted by state-aligned actors. Symantec reported that these downloaders were subsequently used to deploy Korplug, reinforcing the assertion that Mustang Panda was behind these cyber-attacks. As such, organizations are advised to implement robust security measures to protect against such threats.
Description last updated: 2024-05-25T09:15:28.401Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
PlugX is a possible alias for Korplug. PlugX is a Remote Access Trojan (RAT) malware known for its stealthy operations and destructive capabilities. It is often used by threat actors to exploit and damage computer systems, steal personal information, disrupt operations, or hold data hostage for ransom. Its deployment has been linked to s
6
Sogu is a possible alias for Korplug. SOGU is a malicious software (malware) attributed to TEMP.Hex, a threat actor linked to China. The malware is designed to exploit and damage computer systems, often infiltrating them through suspicious downloads, emails, or websites. Once inside, it can steal personal information, disrupt operations
3
Doplugs is a possible alias for Korplug. DOPLUGS is a variant of the PlugX malware, developed and deployed by the China-linked Advanced Persistent Threat (APT) group Mustang Panda. Active since 2022, this unique malware has been used in targeted campaigns against various Asian countries including Taiwan, Vietnam, India, Japan, and China. U
2
Cobra Docguard is a possible alias for Korplug. Cobra DocGuard, a software produced by Chinese firm EsafeNet for protecting, encrypting, and decrypting software, has been exploited in a series of malware attacks. The attackers compromised the software's update files to deliver malicious updates that infected targeted systems. The first known inst
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Backdoor
Malware
Downloader
Apt
Symantec
Implant
Rat
Payload
Loader
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Dinodasrat Malware is associated with Korplug. DinodasRAT is a malicious software that has been causing significant security concerns worldwide. This malware, which targets both Windows and Linux operating systems, is designed to infiltrate your system and perform harmful activities such as stealing personal information, disrupting operations, oUnspecified
3
The Cobra Malware is associated with Korplug. Cobra is a type of malware, short for malicious software, designed to exploit and damage computer systems or devices. It can infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, Cobra has the potential to steal personal information, disrupUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Mustang Panda Threat Actor is associated with Korplug. Mustang Panda, a China-aligned Advanced Persistent Threat (APT) group, has been identified as a significant cyber threat actor involved in a series of malicious activities. Notably, Mustang Panda was found to be associated with the BRONZE PRESIDENT phishing lure, which delivered PlugX and used modifUnspecified
2
Source Document References
Information about the Korplug Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
ESET
6 months ago
CERT-EU
a year ago
CERT-EU
9 months ago
Securityaffairs
9 months ago
CERT-EU
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago
BankInfoSecurity
a year ago
Checkpoint
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
BankInfoSecurity
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
MITRE
2 years ago
Securityaffairs
2 years ago
Count Upon Security
2 years ago
Count Upon Security
2 years ago
Securityaffairs
a year ago