PlugX

Malware Profile Updated a month ago
Download STIX
Preview STIX
PlugX is a notorious malware, typically associated with Chinese threat actors, that has been used in various cyberattacks. This malicious software infiltrates systems through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data for ransom. It is particularly known for its ability to remain undetected by leveraging DLL side-loading techniques. The PlugX Remote Access Trojan (RAT) has been extensively used by threat groups such as Winnti and Velvet Ant, installing it on both legacy Windows Server 2003 systems and newer Windows systems after tampering with their endpoint detection and remediation (EDR) protections. The malware has been linked to the LockFile ransomware activity, with analysis of a PlugX sample indicating this connection. A specific sub-version of PlugX has also been associated with the HUI Loader, suggesting that the threat group responsible for the HUI Loader-linked ransomware activity has access to malware developed by Chinese government-sponsored groups. In some instances, two versions of PlugX were deployed within a network; the first version was configured with an external C2 server and installed on endpoints with direct internet access, facilitating the exfiltration of sensitive information. However, in other cases, researchers found no signs of PlugX-infected hosts communicating with an external command-and-communication (C2) server, raising questions about the communication methods used by the threat actor. Investigations revealed that threat actors employed a substantial portion of the correlated infrastructure, either presently or historically, as C2 servers for two prominent pieces of malware: PlugX and Trochilus RAT. Notably, these pieces of malware are largely associated with Chinese threat actors, and attacks launched by these groups generally parallel Chinese office hours and employ tools typically used by Chinese APT groups.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
ShadowPad
9
ShadowPad is a modular backdoor malware that has been utilized by several Chinese threat groups since at least 2017. Notably, it was used as the payload in supply chain attacks targeting South Asian governments, as reported in the VB2023 paper. ShadowPad provides near-administrative capabilities in
Korplug
6
Korplug, also known as PlugX, is a type of malware developed and utilized by the China-aligned Advanced Persistent Threat (APT) group, Mustang Panda. This malicious software is designed to infiltrate computer systems without detection, often through suspicious downloads, emails, or websites. Once in
Doplugs
3
DOPLUGS is a variant of the PlugX malware, developed and deployed by the China-linked Advanced Persistent Threat (APT) group Mustang Panda. Active since 2022, this unique malware has been used in targeted campaigns against various Asian countries including Taiwan, Vietnam, India, Japan, and China. U
Paranoid Plugx
2
Paranoid PlugX is a sophisticated malware designed to exploit and damage computer systems, often infiltrating without the user's knowledge. It typically enters a system through suspicious downloads, emails, or websites, and once inside, it can steal personal information, disrupt operations, or even
Hodur
2
Hodur is a sophisticated malware variant of Korplug (also known as PlugX), often deployed by China-aligned threat actors, such as the Mustang Panda group. The malware is designed to exploit and damage computer systems, typically infiltrating through suspicious downloads, emails, or websites. Once in
Killsomeone
2
KillSomeOne is a highly potent malware that has been integrated with various variants of the PlugX malware, a notorious backdoor Trojan. The first variant of this integration was discovered in 2018, as part of a DOPLUGS variant, which showcased the KillSomeOne module's capabilities. This malware ope
Poisonplug
1
None
Cobra Docguard
1
Cobra DocGuard, a software produced by Chinese firm EsafeNet for protecting, encrypting, and decrypting software, has been exploited in a series of malware attacks. The attackers compromised the software's update files to deliver malicious updates that infected targeted systems. The first known inst
fualtrep.dll
1
None
DarkComet
1
DarkComet is a Remote Access Trojan (RAT) that opens a backdoor on infected computers, allowing unauthorized access and data theft. This malware has been classified among the top five Command and Control (C2) families, indicating its widespread usage by cybercriminals. DarkComet, along with other es
Axiomaticasymptote
1
Axiomaticasymptote is a type of malware, a malicious software designed to infiltrate and damage computer systems without the user's knowledge. It typically operates in conjunction with other malware such as Cobalt Strike, Meterpreter, PlugX, Mythic, Metasploit, XtremeRAT, and CROSSWALK. These harmfu
Lockfile
1
LockFile is a type of malicious software, or malware, that has been linked to ransomware activity. This harmful program can infiltrate your system via suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold your data for ransom. Analysis of the PlugX
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Backdoor
Loader
Payload
Rat
Apt
Trojan
Windows
Cobalt Strike
Chinese
Implant
Html
State Sponso...
Exploit
Encryption
Downloader
Tool
Espionage
Phishing
Beacon
Cybercrime
Dropper
Malware Payl...
Encrypt
Trellix
Decoy
exploitation
Antivirus
Evasive
Acrobat
Malware Drop...
t1574.002
Botnet
exploited
Reconnaissance
Rootkit
Exploits
Europe
Atom
Asian
Symantec
Github
Checkpoint
Eset
Gbhackers
Malware Loader
Injector
Vulnerability
Worm
Taiwan
Shellcode
t1574.001
State Sponso...
Ransomware
China
dos
Proxy
Golang
Proofpoint
bugs
Bot
Denial of Se...
Asia
Web Shell
Infiltration
Lateral_move...
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Black BastaUnspecified
3
Black Basta is a notorious malware group known for its malicious software, specifically ransomware attacks. Since early 2022, the Black Basta Ransomware gang has been actively involved in cybercrimes, amassing at least $107 million in Bitcoin ransom payments. The group's modus operandi involves expl
China ChopperUnspecified
2
China Chopper is a notorious malware that has been widely used by various Advanced Persistent Threat (APT) groups, notably BRONZE UNION. This web shell was found embedded in multiple web shells on SharePoint servers, such as stylecs.aspx, test.aspx, and stylecss.aspx. It is believed to be associated
Poison IvyUnspecified
2
Poison Ivy is a type of malware, or malicious software, designed to exploit and damage computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even hold d
Brute RatelUnspecified
2
Brute Ratel is a sophisticated malware variant that has been used in a series of cyber attacks targeting diplomatic staff and other sensitive targets. It's delivered through custom loaders embedded in lure documents, which are designed to trick the recipient into triggering the infection process. On
MeterpreterUnspecified
2
Meterpreter, a type of malware, is an attack payload of Metasploit that serves as an interactive shell, enabling threat actors to control and execute code on a system. Advanced Persistent Threat (APT) actors have created and used a variant of Metasploit (Meterpreter) on the ServiceDesk system, liste
KEYPLUGUnspecified
2
KeyPlug is a modular backdoor malware, written in C++, that has been used extensively by the APT41 group to target systems globally. Notably, between June and December 2021, it was heavily deployed against state government victims, exploiting Windows systems with significant effect. KeyPlug supports
CobraUnspecified
1
Cobra is a type of malware, short for malicious software, designed to exploit and damage computer systems or devices. It can infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, Cobra has the potential to steal personal information, disrup
PivyUnspecified
1
PIVY, a type of malware, is known for its harmful exploits on computers and devices. It infiltrates systems through dubious downloads, emails, or websites, often without the user's awareness. Once inside, it can steal personal information, disrupt operations, or even hold data for ransom. PIVY has b
Gh0stUnspecified
1
Gh0st is a form of malware, or malicious software, that has been used in a variety of cyber attacks to exploit and damage computer systems. Notably, it was used in Operation Diplomatic Specter, where the Gh0st RAT (Remote Access Trojan) sample and Specter malware family were deployed. The malware co
gh0st RATUnspecified
1
Gh0st RAT is a notorious malware that was originally developed by the C. Rufus Security Team in China and has been widely used for cyber espionage since its code leaked in 2008. This malicious software can infiltrate systems through suspicious downloads, emails, or websites, often without the user's
DinodasratUnspecified
1
DinodasRAT is a multi-platform backdoor malware written in C++, which has been causing significant cybersecurity issues worldwide. This malicious software is designed to exploit and damage computer systems, primarily targeting Linux users, specifically those using Red Hat-based distributions and Ubu
SoguUnspecified
1
SOGU is a malicious software (malware) attributed to TEMP.Hex, a threat actor linked to China. The malware is designed to exploit and damage computer systems, often infiltrating them through suspicious downloads, emails, or websites. Once inside, it can steal personal information, disrupt operations
AspxtoolUnspecified
1
ASPXTool is a type of malware, specifically a modified version of the ASPXSpy web shell. This malicious software is designed to infiltrate and exploit computer systems, often entering undetected through suspicious downloads, emails, or websites. Once inside a system, it can steal personal informatio
Stately TaurusUnspecified
1
Stately Taurus, also known as Mustang Panda, Bronze President, Red Delta, LuminousMoth, Earth Preta, and Camaro Dragon, is a potent malware linked to Chinese Advanced Persistent Threat (APT) activities. The first signs of its operation date back to at least 2012, with notable activity traced to Marc
ChChesUnspecified
1
ChChes is a malware family that has been linked to the Advanced Persistent Threat (APT) group known as "menuPass." The malware was first identified in 2016 when it was used to target Japanese academics, pharmaceutical companies, and a US-based subsidiary of a Japanese manufacturing organization. ChC
HyperBroUnspecified
1
HyperBro is a malicious software (malware) that has been utilized in a sophisticated cyber espionage campaign targeting semiconductor industries primarily in Taiwan, Hong Kong, and Singapore. This malware was discovered being used in conjunction with a lure purporting to be from the Taiwan Semicondu
ZxShellUnspecified
1
ZXShell is a malicious software (malware) that has been used by various cyber threat actors to exploit and damage computer systems. It is known to be associated with other malware such as PANDORA, SOGU, GHOST, WIDEBERTH, QUICKPULSE, FLOWERPOT, QIAC, Gh0st, Poison Ivy, BEACON, HOMEUNIX, STEW, among o
RedLeavesUnspecified
1
RedLeaves is a malicious software (malware) that has been utilized in cyber espionage campaigns for over five years, as reported by Trend Micro. This malware, which is known to infect Windows machines, operates as a remote access trojan (RAT), enabling unauthorized access and control over infected s
QakBotUnspecified
1
Qakbot is a potent malware, a malicious software designed to exploit and damage computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it has the potential to steal personal information, disrupt operations, or e
IcedIDUnspecified
1
IcedID is a type of malware, or malicious software, designed to exploit and harm computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, IcedID can steal personal information, disrupt operations, or even hold dat
EmotetUnspecified
1
Emotet is a highly dangerous and insidious malware that has resurfaced with increased activity this summer. Originally distributed via email attachments, it infiltrates systems often without the user's knowledge, forming botnets under the control of criminals for large-scale attacks. Once infected,
BumblebeeUnspecified
1
Bumblebee is a type of malware that has been linked to ITG23, a cybercriminal group known for its use of crypters such as Emotet, IcedID, Qakbot, Bumblebee, and Gozi. Distributed via phishing campaigns or compromised websites, Bumblebee enables the delivery and execution of further payloads. The sam
ZeroTUnspecified
1
ZeroT is a malicious software (malware) that was first discovered in 2016, designed to exploit and damage computer systems. It primarily infiltrated victims' machines through Trojan-infected Word documents attached to emails. One notable instance involved the CHM file 20160621.chm, which dropped the
NetTravelerUnspecified
1
NetTraveler is a harmful malware that can infect computers and steal personal information. The malware is usually spread through suspicious downloads, emails, or websites, without the user's knowledge. It can disrupt operations, hold data hostage, and damage computer systems. NetTraveler shares si
HTTPBrowserUnspecified
1
HTTPBrowser is a potent form of malware, or malicious software, used to exploit and damage computer systems. It has been deployed by groups such as BRONZE UNION and Wekby to execute tools like PlugX and HTTPBrowser itself, making it difficult for network defenders to detect. The malware can infiltra
PoisonIvyUnspecified
1
PoisonIvy is a malicious software (malware) known for its damaging capabilities, including stealing personal information and disrupting system operations. The malware can infiltrate systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it maintai
RCSessionUnspecified
1
RCSession is a basic Remote Access Trojan (RAT) malware, installed via DLL side-loading and primarily used by the threat group known as BRONZE PRESIDENT. The malware was first described by Dell Secureworks in a blog published in December 2019, where it was identified as a part of the Type 2 malware
FormbookUnspecified
1
Formbook is a type of malware known for its ability to steal personal information, disrupt operations, and potentially hold data for ransom. The malware is commonly spread through suspicious downloads, emails, or websites, often without the user's knowledge. In June 2023, Formbook was observed being
MgbotUnspecified
1
MgBot is a sophisticated malware used exclusively by the threat actor group known as Evasive Panda. This malicious software, which can infiltrate systems through suspicious downloads, emails, or websites, is designed to exploit and damage computer systems without the user's knowledge. Once inside, M
Brc4Unspecified
1
Brc4 is a malicious software (malware) associated with Brute Ratel C4, the latest red-teaming and adversarial attack simulation tool available on the market. The malware can infiltrate your system via suspicious downloads, emails, or websites, often without your knowledge. Once inside, it can steal
Cobalt Strike BeaconUnspecified
1
Cobalt Strike Beacon is a type of malware known for its harmful capabilities, including stealing personal information, disrupting operations, and potentially holding data hostage for ransom. The malware has been loaded by HUI Loader through various files such as mpc.tmp, dlp.ini, vmtools.ini, and an
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Mustang PandaUnspecified
5
Mustang Panda, also known as Bronze President, Nomad Panda, Naikon, Earth Preta, and Stately Taurus, is a Chinese-aligned threat actor that has been associated with widespread attacks against various countries in the Asia-Pacific region. The group's malicious activities were first traced back to Mar
WinntiUnspecified
4
Winnti, a threat actor or group also known as Starchy Taurus and APT41, has been active since at least 2007, first identified by Kaspersky in 2013. This Chinese state-sponsored entity is renowned for its ability to target supply chains of legitimate software to disseminate malware. The group is link
BRONZE PRESIDENTUnspecified
3
Bronze President, a Chinese-state-sponsored APT group also known as Mustang Panda, has been identified as a significant threat actor in data theft campaigns. The group has deployed a variety of remote access tools, including Cobalt Strike and RCSession, to steal data from targeted organizations. Bro
RedDeltaUnspecified
3
RedDelta, also known as Bronze President, is a threat actor that has been conducting cyber-espionage attacks since 2014. It is one of the likely Ministry of State Security (MSS)-linked groups which include APT10, APT17, APT27, APT40, APT41, TAG-22, and RedBravo among others. The organization's activ
TA416Unspecified
2
TA416 is an advanced persistent threat (APT) group that targets organizations globally with customized versions of the PlugX malware. TA416 has used a distinct installation method of a PE dropper to retrieve Trident loaded payload components using a legitimate PE and a DLL loader file to load a Plug
APT10Unspecified
2
APT10, also known as the Menupass Team, is a threat actor believed to operate on behalf of the Chinese Ministry of State Security (MSS). The group has been active since 2009 and is suspected to be based in Tianjin, China, according to research by IntrusionTruth in 2018. APT10 has primarily targeted
RedgolfUnspecified
2
RedGolf, a Chinese state-sponsored threat activity group, has been actively targeting Windows and Linux systems with the KEYPLUG backdoor. This group's activities have been closely associated with other threat groups including APT41, Wicked Panda, Bronze Atlas, and Barium. The first known use of the
APT41Unspecified
2
APT41, also known as Winnti, Wicked Panda, and Wicked Spider, is a sophisticated threat actor attributed to China. This group has been active since at least 2012, targeting organizations across 14 countries. The group is known for its extensive use of various code families and tools, with at least 4
LanceflyUnspecified
2
Lancefly, a threat actor potentially associated with China, has been identified as the group behind an ongoing cyberespionage campaign targeting organizations in South and Southeast Asia. The targets include government bodies, aviation companies, educational institutions, and telecommunication secto
Bronze StarlightUnspecified
2
Bronze Starlight, a threat actor linked to China, has been implicated in a series of cyber-espionage activities and ransomware attacks. As reported by Secureworks, a Dell Technologies company, in 2022, Bronze Starlight targeted companies with ransomware, while also engaging in more clandestine activ
CarderbeeUnspecified
1
Carderbee, a previously unknown Advanced Persistent Threat (APT) group, has been identified as the perpetrator behind a series of supply chain attacks against organizations in Hong Kong and other regions in Asia. The Symantec Threat Hunter Team reported that Carderbee used a malware-infused version
MustangpandaUnspecified
1
None
CrosswalkUnspecified
1
Crosswalk, a threat actor in the cybersecurity industry, has been identified as utilizing FakeTLS in its traffic, presenting significant security concerns. This modular backdoor is implemented in shellcode, with the main payload being the Crosswalk backdoor itself. The malicious files associated wit
Red DeltaUnspecified
1
Red Delta is a threat actor, a term used in cybersecurity to describe an entity that executes actions with malicious intent. This could be an individual, a private company, or a government organization. Red Delta has been identified as being involved in a series of cyber threats and attacks. In a hi
Earth PretaUnspecified
1
Earth Preta, also known as Mustang Panda, Bronze President, TA416, RedDelta, and Stately Taurus, is a prominent threat actor group that has been operational since at least 2012. The group has been highly active in Europe and Asia, employing a variety of tools and malware for their malicious activiti
Earth KrahangUnspecified
1
Earth Krahang is a threat actor, a term used in cybersecurity to describe an entity responsible for malicious activities. This could be an individual, a private company, or even a government organization. In the world of cybersecurity, unique names are often given to these actors to differentiate th
Iron TigerUnspecified
1
Iron Tiger, also known as Iron Taurus or APT27, is a threat actor group known for executing malicious actions with the intent of espionage. The group became prominent after its involvement in Operation Iron Tiger, which was reported in 2015. This operation was a series of Chinese cyber-espionage att
DragonOKUnspecified
1
DragonOK, a threat actor group reportedly linked to China, has been associated with various malicious activities, including the deployment of the infamous Remote Access Trojan (RAT) known as FormerFirstRAT. This multi-featured RAT allows threat actors to gain complete control over a targeted machine
Earth EstriesUnspecified
1
Earth Estries is a cyberespionage group, or threat actor, that has targeted government entities and tech firms across the globe, including in the US, Germany, South Africa, Asia, Malaysia, the Philippines, and Taiwan. While the exact origin of Earth Estries remains unclear, there are indications sug
Camaro DragonUnspecified
1
Camaro Dragon, a Chinese state-sponsored threat actor, has been identified as the source of several cyber attacks on European foreign affairs entities. Checkpoint Research has discovered and analyzed a custom firmware image affiliated with Camaro Dragon, which contained multiple malicious components
BlackflyUnspecified
1
Blackfly is a threat actor, tracked by Symantec, that has been involved in cyber-attacks primarily targeting South Korean companies, especially those in the video game and software development industry. The group initiated its activities with a campaign to steal certificates, which were later utiliz
menuPassUnspecified
1
MenuPass, also known as APT10, Stone Panda, and ALPHV BlackCat, is a threat actor suspected to be linked to the Chinese government. This cyber espionage group has been active since at least 2009, according to Mandiant, and has targeted a wide range of sectors including construction, engineering, aer
Winnti GroupUnspecified
1
The Winnti Group, a collective of Chinese Advanced Persistent Threat (APT) groups including APT41, first gained notoriety for its attacks on computer game developers. The group was initially spotted by Kaspersky in 2013, but researchers suggest that this nation-state actor has been active since at l
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Poison Ivy PivyUnspecified
1
None
CVE-2017-0199Unspecified
1
CVE-2017-0199 is a notable software vulnerability, specifically a flaw in the design or implementation of Microsoft Office's Object Linking and Embedding (OLE) feature. This vulnerability has been exploited over the years to spread various notorious malware families. In 2017, it was used to dissemin
CVE-2017-11882Unspecified
1
CVE-2017-11882 is a software vulnerability present in Microsoft's Equation Editor, allowing for the execution of malicious code. This vulnerability was exploited by a tool known as Royal Road, which is shared among various Chinese state-sponsored groups. The tool facilitates the creation of harmful
Brute Ratel Brc4Unspecified
1
None
Source Document References
Information about the PlugX Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
BankInfoSecurity
a month ago
Researchers Uncover Chinese Hacking Cyberespionage Campaign
Securityaffairs
a month ago
Velvet Ant uses F5 BIG-IP malware in cyber espionage campaign
DARKReading
a month ago
China's 'Velvet Ant' APT Nests Inside Multiyear Espionage Effort
BankInfoSecurity
2 months ago
Active Chinese Cyberespionage Campaign Rifling Email Servers
Unit42
2 months ago
Operation Diplomatic Specter: An Active Chinese Cyberespionage Campaign Leverages Rare Tool Set to Target Governmental Entities in the Middle East, Africa and Asia
DARKReading
2 months ago
China APT Stole Geopolitical Secrets From Middle East, Africa & Asia
ESET
3 months ago
Malware hiding in pictures? More likely than you think
DARKReading
4 months ago
Chinese APT 'Earth Krahang' Compromises 48 Gov't Orgs on 5 Continents
Trend Micro
4 months ago
Earth Krahang Exploits Intergovernmental Trust to Launch Cross-Government Attacks
Unit42
5 months ago
Intruders in the Library: Exploring DLL Hijacking
CERT-EU
5 months ago
iSoon's Secret APT Status Exposes China's Foreign Hacking Machination | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
CERT-EU
5 months ago
Sophisticated PlugX backdoor variant leveraged in Mustang Panda attacks
DARKReading
5 months ago
iSoon's Secret APT Status Exposes China's Foreign Hacking Machination
CERT-EU
5 months ago
New Mustang Panda campaign targets Asia with a backdoor dubbed DOPLUGS
Securityaffairs
5 months ago
New Mustang Panda campaign targets Asia with a backdoor dubbed DOPLUGS
CERT-EU
5 months ago
Chinese Hacking Contractor iSoon Leaks Internal Documents | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
BankInfoSecurity
5 months ago
Chinese Hacking Contractor iSoon Leaks Internal Documents
Trend Micro
5 months ago
Earth Preta Campaign Uses DOPLUGS to Target Asia
Malwarebytes
6 months ago
Malicious ads for restricted messaging applications target Chinese users | Malwarebytes
InfoSecurity-magazine
6 months ago
Black Basta Ransomware Decryptor Published