PlugX

Malware updated a month ago (2024-10-17T12:01:53.636Z)
Download STIX
Preview STIX
PlugX is a Remote Access Trojan (RAT) malware known for its stealthy operations and destructive capabilities. It is often used by threat actors to exploit and damage computer systems, steal personal information, disrupt operations, or hold data hostage for ransom. Its deployment has been linked to several cyber attacks including those by the Winnti group and LockFile ransomware activity. PlugX utilizes DLL side-loading techniques to remain undetected, making it a potent tool in the hands of malicious actors. The malware has been associated with Chinese government-sponsored threat groups, as evidenced by the connections between LockFile ransomware activity, HUI Loader, and a specific sub-version of PlugX. The use of political lures and PlugX components has also been attributed to MustangPanda, another threat group. Furthermore, the malware was found on a suspect's laptop during a police investigation, indicating its widespread use in cybercrime. The backdoor features of PlugX bear similarities to DRBControl backdoor and APT31's RAT 'GrewApacha', suggesting possible collaborations or shared tactics among different threat groups. In response to the escalating threats posed by PlugX, French authorities have launched a disinfection operation aimed at eradicating the malware from infected hosts. This initiative underscores the seriousness of the PlugX threat and the concerted efforts required to counteract it. Despite these measures, PlugX continues to be a significant cybersecurity concern due to its sophisticated evasion techniques and its association with various high-profile threat groups.
Description last updated: 2024-10-17T11:51:58.481Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
ShadowPad is a possible alias for PlugX. ShadowPad is a sophisticated malware, known for its modular backdoor capabilities, that has been popular among Chinese threat actors for over seven years. It is designed to infiltrate systems often through suspicious downloads, emails, or websites, and once inside, it can steal personal information,
9
Korplug is a possible alias for PlugX. Korplug, also known as PlugX, is a type of malware developed and utilized by the China-aligned Advanced Persistent Threat (APT) group, Mustang Panda. This malicious software is designed to infiltrate computer systems without detection, often through suspicious downloads, emails, or websites. Once in
6
Winnti is a possible alias for PlugX. Winnti is a threat actor group known for its malicious activities, primarily originating from Chinese Advanced Persistent Threat (APT) operational infrastructure. The group, which has been active since at least 2007, was first spotted by Kaspersky in 2013. It is associated with several aliases such
4
Doplugs is a possible alias for PlugX. DOPLUGS is a variant of the PlugX malware, developed and deployed by the China-linked Advanced Persistent Threat (APT) group Mustang Panda. Active since 2022, this unique malware has been used in targeted campaigns against various Asian countries including Taiwan, Vietnam, India, Japan, and China. U
3
Hodur is a possible alias for PlugX. Hodur is a sophisticated malware variant of Korplug (also known as PlugX), often deployed by China-aligned threat actors, such as the Mustang Panda group. The malware is designed to exploit and damage computer systems, typically infiltrating through suspicious downloads, emails, or websites. Once in
2
Paranoid Plugx is a possible alias for PlugX. Paranoid PlugX is a sophisticated malware designed to exploit and damage computer systems, often infiltrating without the user's knowledge. It typically enters a system through suspicious downloads, emails, or websites, and once inside, it can steal personal information, disrupt operations, or even
2
Killsomeone is a possible alias for PlugX. KillSomeOne is a highly potent malware that has been integrated with various variants of the PlugX malware, a notorious backdoor Trojan. The first variant of this integration was discovered in 2018, as part of a DOPLUGS variant, which showcased the KillSomeOne module's capabilities. This malware ope
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Backdoor
Rat
Loader
Payload
Apt
Trojan
Windows
Exploit
Cobalt Strike
Chinese
State Sponso...
Phishing
Html
Implant
Encryption
Espionage
Tool
Downloader
exploitation
Antivirus
Beacon
Trellix
Cybercrime
Vulnerability
Malware Payl...
Encrypt
Botnet
Worm
Dropper
Ransomware
Decoy
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Black Basta Malware is associated with PlugX. Black Basta is a notorious malware group known for its sophisticated ransomware attacks, which have targeted numerous high-profile entities. The group has demonstrated a remarkable ability to adapt their tactics, techniques, and procedures (TTPs), allowing them to effectively evade security defensesUnspecified
3
The KEYPLUG Malware is associated with PlugX. KeyPlug is a sophisticated malware developed by APT41, also known as the Chinese RedGolf Group. It's written in C++ and supports multiple network protocols for command and control (C2) traffic, including HTTP, TCP, KCP over UDP, and WSS. The malware was primarily used to target Windows systems, specUnspecified
2
The Brute Ratel Malware is associated with PlugX. Brute Ratel C4 (BRc4) is a potent malware that has been used in various cyber-attacks over the past 15 years. The malware infects systems through deceptive MSI installers, which deploy the BRc4 by disguising the payload as legitimate software such as vierm_soft_x64.dll under rundll32 execution. VariUnspecified
2
The Meterpreter Malware is associated with PlugX. Meterpreter is a type of malware that acts as an attack payload within the Metasploit framework, providing threat actors with an interactive shell to control and execute code on a compromised system. The malware is often deployed covertly through suspicious downloads, emails, or websites. Once instaUnspecified
2
The Poison Ivy Malware is associated with PlugX. Poison Ivy is a type of malware, or malicious software, designed to exploit and damage computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even hold dUnspecified
2
The China Chopper Malware is associated with PlugX. China Chopper is a notorious malware, a harmful program designed to exploit and damage computer systems. It has been primarily used by the threat actor group BRONZE UNION to establish connections to China Chopper web shells on compromised servers, as seen in multiple instances where its code was fouUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Mustang Panda Threat Actor is associated with PlugX. Mustang Panda, a China-aligned Advanced Persistent Threat (APT) group, has been identified as a significant cyber threat actor involved in a series of malicious activities. Notably, Mustang Panda was found to be associated with the BRONZE PRESIDENT phishing lure, which delivered PlugX and used modifUnspecified
5
The BRONZE PRESIDENT Threat Actor is associated with PlugX. Bronze President, a Chinese-state-sponsored APT group also known as Mustang Panda, has been identified as a significant threat actor in data theft campaigns. The group has deployed a variety of remote access tools, including Cobalt Strike and RCSession, to steal data from targeted organizations. BroUnspecified
3
The RedDelta Threat Actor is associated with PlugX. RedDelta, also known as Bronze President, is a threat actor that has been conducting cyber-espionage attacks since 2014. It is one of the likely Ministry of State Security (MSS)-linked groups which include APT10, APT17, APT27, APT40, APT41, TAG-22, and RedBravo among others. The organization's activUnspecified
3
The Redgolf Threat Actor is associated with PlugX. RedGolf, a Chinese state-sponsored threat activity group, has been actively targeting Windows and Linux systems with the KEYPLUG backdoor. This group's activities have been closely associated with other threat groups including APT41, Wicked Panda, Bronze Atlas, and Barium. The first known use of theUnspecified
2
The Bronze Starlight Threat Actor is associated with PlugX. Bronze Starlight, a Chinese threat actor group, has been linked to various malicious activities in the cybersecurity landscape. The group is known for deploying different types of ransomware payloads, including traditional ransomware schemes such as LockFile and name-and-shame models. Bronze StarligUnspecified
2
The APT41 Threat Actor is associated with PlugX. APT41, also known as Winnti, is a threat actor suspected to be originating from China, with its activities dating back to as early as 2012. It has targeted organizations in at least 14 countries and has been associated with the use of at least 46 different code families and tools. The group's activiUnspecified
2
The Mustangpanda Threat Actor is associated with PlugX. MustangPanda is a threat actor, or malicious entity, that has been active since at least 2012. Known for its sophisticated cyber-attacks, MustangPanda has targeted American and European entities including government organizations, think tanks, non-governmental organizations (NGOs), and even CatholicUnspecified
2
The Lancefly Threat Actor is associated with PlugX. Lancefly, a threat actor potentially associated with China, has been identified as the group behind an ongoing cyberespionage campaign targeting organizations in South and Southeast Asia. The targets include government bodies, aviation companies, educational institutions, and telecommunication sectoUnspecified
2
The APT10 Threat Actor is associated with PlugX. APT10, also known as menuPass, is a sophisticated threat actor believed to be operating on behalf of the Chinese Ministry of State Security (MSS). It has been active since at least 2006 and has been linked to numerous cyber espionage campaigns. The group utilizes advanced techniques and tools that aUnspecified
2
The TA416 Threat Actor is associated with PlugX. TA416 is an advanced persistent threat (APT) group that targets organizations globally with customized versions of the PlugX malware. TA416 has used a distinct installation method of a PE dropper to retrieve Trident loaded payload components using a legitimate PE and a DLL loader file to load a PlugUnspecified
2
Source Document References
Information about the PlugX Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
ESET
2 months ago
Checkpoint
2 months ago
Securityaffairs
2 months ago
Securityaffairs
2 months ago
Securelist
3 months ago
Securityaffairs
3 months ago
Securityaffairs
4 months ago
Securityaffairs
4 months ago
BankInfoSecurity
5 months ago
Securityaffairs
5 months ago
DARKReading
5 months ago
BankInfoSecurity
6 months ago
Unit42
6 months ago
DARKReading
6 months ago
ESET
7 months ago
DARKReading
8 months ago
Trend Micro
8 months ago
Unit42
9 months ago
CERT-EU
9 months ago
CERT-EU
9 months ago