PLEAD

Malware Profile Updated 2 days ago
Download STIX
Preview STIX
The PLEAD malware is a malicious software that was discovered by ESET researchers in 2019 to be utilized by the Chinese APT group known as BlackTech. The group was found to be performing Man-in-the-Middle (MitM) attacks through compromised ASUS routers and delivering the PLEAD malware through ASUS WebStorage software updates. The malware, also referred to as TSCookie, has been active since 2015 and is known for its ability to steal data from victim organizations. The threat actors deployed PLEAD hidden within legitimate-looking software updates from Asus, leveraging it to target additional systems within the environment. Several incidents related to the PLEAD malware have been reported over the years. For instance, Bowser pleaded guilty to two charges related to the malware and was sentenced to 40 months in prison and a fine of $4.5 million, later increased by $10 million. In another case, Jack Teixeira, a former airman and Pentagon leak suspect, was expected to plead guilty for his role in leaking sensitive intelligence online, which was linked to the use of PLEAD. Furthermore, two foreign nationals pleaded guilty to their participation in the LockBit Ransomware Group, which used similar tactics to those seen in the PLEAD campaign. The PLEAD malware's unique behavior, such as the capability to eavesdrop on edge networking equipment and perform DNS and HTTP hijacking, has been seldom observed. Other campaigns like ZuoRat, VPNFilter, Attor, and Cuttlefish have exhibited similar behavior. However, PLEAD stands out due to its specific design to seek out private IP connections for hijacking. This innovation represents the next generation in malware capabilities, indicating an evolving threat landscape that requires vigilant cybersecurity measures.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
TSCookie
2
TSCookie is a malware that has been associated with various backdoors such as BendyBear, BIFROSE (Bifrost), Consock, KIVARS, PLEAD, XBOW, and Waterbear (DBGPRINT). It's also known as FakeDead and is used in conjunction with other tools like BendyBear and Flagpro by BlackTech, an advanced persistent
Waterbear
2
WaterBear is a sophisticated form of malware, known for its ability to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, disrupt operations, or hold data hostag
BendyBear
1
BendyBear is a sophisticated x64 shellcode malware that requires loader or code injection for deployment. It contains advanced features not typically found in shellcode, making it a potent threat to computer systems. BendyBear, along with other specific malware strains such as Bifrose, SpiderPig, an
Fakedead
1
FakeDead, also known as TSCookie, is a potent malware that has been linked to a series of backdoors including BendyBear, BIFROSE (or Bifrost), Consock, KIVARS, PLEAD, XBOW, and Waterbear (also known as DBGPRINT). This malicious software infiltrates systems typically through suspicious downloads, ema
Dbgprint
1
None
Bifrose
1
Bifrose, a form of malicious software (malware), is designed to exploit and damage computer systems. It infiltrates the user's device without their knowledge via suspicious downloads, emails, or websites. Once inside the system, Bifrose can steal personal information, disrupt operations, and even ho
Kivars
1
Kivars, a type of malware, was identified as being used in conjunction with other malicious software, PLEAD and Waterbear, to target systems. The first incidents were detected on February 23rd and March 8th, 2017, where PLEAD and Kivars were seen attacking the same target. On March 16th, 2017, anoth
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Vpn
Apt
Exploit
Ransomware
Espionage
Botnet
Trojan
Phishing
Exploits
Backdoor
AITM
Ddos
Vulnerability
Decoy
Iis
Twitter
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
AttorUnspecified
2
None
Mirai BotnetUnspecified
1
The Mirai botnet is a type of malware, malicious software designed to exploit and harm computer systems. It spreads by exploiting vulnerabilities in different systems, most notably through Ivanti Connect Secure bugs and the JAWS Webserver. Once inside a system, it can steal personal information, dis
LockbitUnspecified
1
LockBit is a type of malware, specifically ransomware, that infiltrates systems to exploit and damage them. It can enter your system through various channels such as suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt
ZeusUnspecified
1
Zeus is a type of malware, short for malicious software, designed to exploit and damage computers or devices. It infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, Zeus can steal personal information, disrupt operations, or even hold da
MiraiUnspecified
1
Mirai is a type of malware that primarily targets Internet of Things (IoT) devices to form botnets, which are networks of private computers infected with malicious software and controlled as a group without the owners' knowledge. In early 2022, Mirai botnets accounted for over 7 million detections g
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
BlackTechUnspecified
3
BlackTech is a threat actor, or a group responsible for carrying out malicious cyber activities. Known for its links to China, BlackTech focuses on gathering intelligence from technology and government organizations, predominantly in the Asia-Pacific region. This group has shown a high degree of sop
plugwalkjoeUnspecified
1
Joseph James O'Connor, known online as PlugwalkJoe, was a notorious threat actor from the United Kingdom who specialized in SIM-swapping to hijack online identities. His most infamous crime involved the hacking of over 130 Twitter accounts in July 2020, which included high-profile figures such as Ap
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CVE-2024-38112Unspecified
1
None
CVE-2015-5119Unspecified
1
CVE-2015-5119 is a software vulnerability, specifically a flaw in the design or implementation of Adobe Flash. This vulnerability was discovered as part of the Hacking Team data breach that took place in 2015. In this leak, internal data of the Italian cybersecurity firm Hacking Team was exposed, in
CVE-2017-7269Unspecified
1
None
Source Document References
Information about the PLEAD Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Securityaffairs
2 days ago
Security Affairs newsletter Round 481 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs
2 days ago
Security Affairs newsletter Round 481 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs
3 months ago
Cuttlefish targets enterprise-grade SOHO routers
DARKReading
3 months ago
'Cuttlefish' Zero-Click Malware Steals Private Cloud Data
DARKReading
4 months ago
How Soccer's 2022 World Cup in Qatar Was Nearly Hacked
CERT-EU
5 months ago
Les dernières actus des cybercriminels (8 mars 2024) • Cybersécurité OSINT
CERT-EU
5 months ago
New Linux Malware "Migo" Exploits Redis for Cryptojacking, Disables Security
InfoSecurity-magazine
5 months ago
Ukrainian Faces Decades in Prison for Leading Prolific Malware Campaig
CERT-EU
9 months ago
Ex-NSA techie admits to selling state secrets to Russia
CERT-EU
10 months ago
China's BlackTech Hacking Group Exploited Routers to Target U.S. and Japanese Companies
CERT-EU
10 months ago
Links 16/09/2023: IBM and Canonical Pushing Wayland
CERT-EU
a year ago
Maui Recovery Website, Grandmothers of Plaza de Mayo, Snapchat, More: Thursday Afternoon ResearchBuzz, September 7, 2023
CERT-EU
a year ago
Leftover Links 27/08/2023: Windows TCO Stories and Linux Foundation 'Masters'
BankInfoSecurity
a year ago
US Man Admits to $4.5B Bitfinex Hack, Money Laundering
CERT-EU
a year ago
Leftover Links 14/07/2023: Microsoft in Trouble With the FTC Again, This Time Over 'Open' 'AI'
CERT-EU
a year ago
Les dernières actualités cybercrime | 7 juillet 2023
CERT-EU
a year ago
Les dernières actualités cybercrime | 30 juin 2023
BankInfoSecurity
a year ago
Worker Inappropriately Accessed Patient Records for 15 Years
CERT-EU
a year ago
Twitter hacker and crypto scammer sentenced to five years in prison | Engadget
MITRE
a year ago
The Trail of BlackTech’s Cyber Espionage Campaigns