PlugX

Malware updated 7 days ago (2024-10-17T12:01:53.636Z)
Download STIX
Preview STIX
PlugX is a Remote Access Trojan (RAT) malware known for its stealthy operations and destructive capabilities. It is often used by threat actors to exploit and damage computer systems, steal personal information, disrupt operations, or hold data hostage for ransom. Its deployment has been linked to several cyber attacks including those by the Winnti group and LockFile ransomware activity. PlugX utilizes DLL side-loading techniques to remain undetected, making it a potent tool in the hands of malicious actors. The malware has been associated with Chinese government-sponsored threat groups, as evidenced by the connections between LockFile ransomware activity, HUI Loader, and a specific sub-version of PlugX. The use of political lures and PlugX components has also been attributed to MustangPanda, another threat group. Furthermore, the malware was found on a suspect's laptop during a police investigation, indicating its widespread use in cybercrime. The backdoor features of PlugX bear similarities to DRBControl backdoor and APT31's RAT 'GrewApacha', suggesting possible collaborations or shared tactics among different threat groups. In response to the escalating threats posed by PlugX, French authorities have launched a disinfection operation aimed at eradicating the malware from infected hosts. This initiative underscores the seriousness of the PlugX threat and the concerted efforts required to counteract it. Despite these measures, PlugX continues to be a significant cybersecurity concern due to its sophisticated evasion techniques and its association with various high-profile threat groups.
Description last updated: 2024-10-17T11:51:58.481Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
ShadowPad is a possible alias for PlugX. ShadowPad is a malicious software (malware) that has been in use since at least 2017, particularly among Chinese threat actors. This modular backdoor malware is designed to exploit and damage computer systems by stealing personal information, disrupting operations, or holding data for ransom. It typ
9
Korplug is a possible alias for PlugX. Korplug, also known as PlugX, is a type of malware developed and utilized by the China-aligned Advanced Persistent Threat (APT) group, Mustang Panda. This malicious software is designed to infiltrate computer systems without detection, often through suspicious downloads, emails, or websites. Once in
6
Winnti is a possible alias for PlugX. Winnti, a notorious threat actor group, has been linked to several sophisticated cyber-espionage activities. First identified by Kaspersky in 2013, it is believed that the group has been active since at least 2007, primarily targeting software supply chains to spread malware. Winnti is part of the A
4
Doplugs is a possible alias for PlugX. DOPLUGS is a variant of the PlugX malware, developed and deployed by the China-linked Advanced Persistent Threat (APT) group Mustang Panda. Active since 2022, this unique malware has been used in targeted campaigns against various Asian countries including Taiwan, Vietnam, India, Japan, and China. U
3
Hodur is a possible alias for PlugX. Hodur is a sophisticated malware variant of Korplug (also known as PlugX), often deployed by China-aligned threat actors, such as the Mustang Panda group. The malware is designed to exploit and damage computer systems, typically infiltrating through suspicious downloads, emails, or websites. Once in
2
Paranoid Plugx is a possible alias for PlugX. Paranoid PlugX is a sophisticated malware designed to exploit and damage computer systems, often infiltrating without the user's knowledge. It typically enters a system through suspicious downloads, emails, or websites, and once inside, it can steal personal information, disrupt operations, or even
2
Killsomeone is a possible alias for PlugX. KillSomeOne is a highly potent malware that has been integrated with various variants of the PlugX malware, a notorious backdoor Trojan. The first variant of this integration was discovered in 2018, as part of a DOPLUGS variant, which showcased the KillSomeOne module's capabilities. This malware ope
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Backdoor
Rat
Loader
Payload
Apt
Trojan
Windows
Exploit
Cobalt Strike
Chinese
State Sponso...
Phishing
Html
Implant
Encryption
Espionage
Tool
Downloader
exploitation
Antivirus
Beacon
Trellix
Cybercrime
Vulnerability
Malware Payl...
Encrypt
Botnet
Worm
Dropper
Ransomware
Decoy
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Black Basta Malware is associated with PlugX. Black Basta is a notorious malware and ransomware group known for its high-profile attacks on various sectors. The group, also known as Storm-0506, has been active since at least early 2022 and has accumulated over $107 million in Bitcoin ransom payments. It deploys malicious software to exploit vulUnspecified
3
The KEYPLUG Malware is associated with PlugX. KeyPlug is a sophisticated malware developed by APT41, also known as the Chinese RedGolf Group. It's written in C++ and supports multiple network protocols for command and control (C2) traffic, including HTTP, TCP, KCP over UDP, and WSS. The malware was primarily used to target Windows systems, specUnspecified
2
The Brute Ratel Malware is associated with PlugX. Brute Ratel is a malicious software (malware) that has been increasingly used by cyber threat actors to exploit and damage computer systems. It is often delivered through suspicious downloads, emails, or websites and can infiltrate systems without the user's knowledge. Once inside, Brute Ratel can sUnspecified
2
The Meterpreter Malware is associated with PlugX. Meterpreter is a type of malware that is part of the Metasploit penetration testing software. It serves as an attack payload and provides an interactive shell, allowing threat actors to control and execute code on a compromised system. Advanced Persistent Threat (APT) actors have created and used a Unspecified
2
The Poison Ivy Malware is associated with PlugX. Poison Ivy is a type of malware, or malicious software, designed to exploit and damage computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even hold dUnspecified
2
The China Chopper Malware is associated with PlugX. China Chopper is a notorious malware, a harmful program designed to exploit and damage computer systems. It has been primarily used by the threat actor group BRONZE UNION to establish connections to China Chopper web shells on compromised servers, as seen in multiple instances where its code was fouUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Mustang Panda Threat Actor is associated with PlugX. Mustang Panda, a China-aligned Advanced Persistent Threat (APT) group, has been identified as a significant cyber threat actor involved in a series of malicious activities. Notably, Mustang Panda was found to be associated with the BRONZE PRESIDENT phishing lure, which delivered PlugX and used modifUnspecified
5
The BRONZE PRESIDENT Threat Actor is associated with PlugX. Bronze President, a Chinese-state-sponsored APT group also known as Mustang Panda, has been identified as a significant threat actor in data theft campaigns. The group has deployed a variety of remote access tools, including Cobalt Strike and RCSession, to steal data from targeted organizations. BroUnspecified
3
The RedDelta Threat Actor is associated with PlugX. RedDelta, also known as Bronze President, is a threat actor that has been conducting cyber-espionage attacks since 2014. It is one of the likely Ministry of State Security (MSS)-linked groups which include APT10, APT17, APT27, APT40, APT41, TAG-22, and RedBravo among others. The organization's activUnspecified
3
The Redgolf Threat Actor is associated with PlugX. RedGolf, a Chinese state-sponsored threat activity group, has been actively targeting Windows and Linux systems with the KEYPLUG backdoor. This group's activities have been closely associated with other threat groups including APT41, Wicked Panda, Bronze Atlas, and Barium. The first known use of theUnspecified
2
The Bronze Starlight Threat Actor is associated with PlugX. Bronze Starlight, a Chinese threat actor group, has been linked to various malicious activities in the cybersecurity landscape. The group is known for deploying different types of ransomware payloads, including traditional ransomware schemes such as LockFile and name-and-shame models. Bronze StarligUnspecified
2
The APT41 Threat Actor is associated with PlugX. APT41, also known as Winnti, Wicked Panda, and Brass Typhoon, is a threat actor suspected to be linked to China. This group has been active since at least 2012 and has targeted organizations in over 14 countries. They have used a variety of sophisticated techniques and malware, including at least 46Unspecified
2
The Mustangpanda Threat Actor is associated with PlugX. MustangPanda is a threat actor, or malicious entity, that has been active since at least 2012. Known for its sophisticated cyber-attacks, MustangPanda has targeted American and European entities including government organizations, think tanks, non-governmental organizations (NGOs), and even CatholicUnspecified
2
The Lancefly Threat Actor is associated with PlugX. Lancefly, a threat actor potentially associated with China, has been identified as the group behind an ongoing cyberespionage campaign targeting organizations in South and Southeast Asia. The targets include government bodies, aviation companies, educational institutions, and telecommunication sectoUnspecified
2
The APT10 Threat Actor is associated with PlugX. APT10, also known as Menupass Team or menuPass, is a Chinese cyber espionage group that has been active since at least 2006. The group is believed to operate on behalf of the Chinese Ministry of State Security (MSS). It primarily targets sectors such as construction and engineering, aerospace, telecUnspecified
2
The TA416 Threat Actor is associated with PlugX. TA416 is an advanced persistent threat (APT) group that targets organizations globally with customized versions of the PlugX malware. TA416 has used a distinct installation method of a PE dropper to retrieve Trident loaded payload components using a legitimate PE and a DLL loader file to load a PlugUnspecified
2
Source Document References
Information about the PlugX Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
ESET
21 days ago
Checkpoint
a month ago
Securityaffairs
a month ago
Securityaffairs
a month ago
Securelist
2 months ago
Securityaffairs
2 months ago
Securityaffairs
3 months ago
Securityaffairs
3 months ago
BankInfoSecurity
4 months ago
Securityaffairs
4 months ago
DARKReading
4 months ago
BankInfoSecurity
5 months ago
Unit42
5 months ago
DARKReading
5 months ago
ESET
6 months ago
DARKReading
7 months ago
Trend Micro
7 months ago
Unit42
8 months ago
CERT-EU
8 months ago
CERT-EU
8 months ago