win.plugx (Back to overview)


aka: Destroy RAT, Kaba, Korplug, Sogu, TIGERPLUG, RedDelta

Actor(s): APT 22, APT 26, APT31, APT41, Aurora Panda, Calypso group, DragonOK, EMISSARY PANDA, Hellsing, Hurricane Panda, Leviathan, Mirage, Mustang Panda, NetTraveler, Nightshade Panda, SLIME29, Samurai Panda, Stone Panda, UPS, Violin Panda


RSA describes PlugX as a RAT (Remote Access Trojan) malware family that is around since 2008 and is used as a backdoor to control the victim's machine fully. Once the device is infected, an attacker can remotely execute several kinds of commands on the affected system.

Notable features of this malware family are the ability to execute commands on the affected machine to retrieve:
machine information
capture the screen
send keyboard and mouse events
reboot the system
manage processes (create, kill and enumerate)
manage services (create, start, stop, etc.); and
manage Windows registry entries, open a shell, etc.

The malware also logs its events in a text log file.

2024-05-23Palo Alto Networks Unit 42Daniel Frank, Lior Rochberger
Operation Diplomatic Specter: An Active Chinese Cyberespionage Campaign Leverages Rare Tool Set to Target Governmental Entities in the Middle East, Africa and Asia
Agent Racoon CHINACHOPPER Ghost RAT JuicyPotato MimiKatz Ntospy PlugX SweetSpecter TunnelSpecter
2024-04-19Spiegel OnlineChristoph Giesen, Hakan Tanriverdi, Simon Hage
VW-Konzern wurde jahrelang ausspioniert – von China?
2024-03-18Trend MicroDaniel Lunghi, Joseph C Chen
Earth Krahang Exploits Intergovernmental Trust to Launch Cross-Government Attacks
DinodasRAT PlugX Reshell ShadowPad Earth Krahang
2024-02-21YouTube (SentinelOne)Kris McConkey
LABSCon23 Replay | Chasing Shadows | The rise of a prolific espionage actor
9002 RAT PlugX ShadowPad Spyder Earth Lusca
2024-01-25JSAC 2024Yi-Chin Chuang, Yu-Tung Chang
Unveiling TeleBoyi: Chinese APT Group Targeting Critical Infrastructure Worldwide
2024-01-25JSAC 2024Hara Hiroaki, Kawakami Ryonosuke, Shota Nakajima
The Secret Life of RATs: connecting the dots by dissecting multiple backdoors
DracuLoader GroundPeony HemiGate PlugX
Stately Taurus Targets Myanmar Amidst Concerns over Military Junta’s Handling of Rebel Attacks
PlugX TONESHELL Unidentified 094
2024-01-09Recorded FutureInsikt Group
2023 Adversary Infrastructure Report
AsyncRAT Cobalt Strike Emotet PlugX ShadowPad
2023-12-06splunkSplunk Threat Research Team
Unmasking the Enigma: A Historical Dive into the World of PlugX Malware
2023-09-08PolySwarm Tech TeamThe Hivemind
Carderbee Targets Hong Kong in Supply Chain Attack
PlugX Carderbee
2023-09-07SekoiaJamila B.
My Tea’s not cold. An overview of China’s cyber threat
Melofee PingPull SoWaT Sword2033 MgBot MQsTTang PlugX TONESHELL Dalbit MirrorFace
2023-08-22SymantecThreat Hunter Team
Carderbee: APT Group use Legit Software in Supply Chain Attack Targeting Orgs in Hong Kong
PlugX Carderbee
2023-08-07Recorded FutureInsikt Group
RedHotel: A Prolific, Chinese State-Sponsored Group Operating at a Global Scale
Winnti Brute Ratel C4 Cobalt Strike FunnySwitch PlugX ShadowPad Spyder Earth Lusca
2023-07-11MandiantNg Choon Kiat, Rommel Joven
The Spies Who Loved You: Infected USB Drives to Steal Secrets
2023-07-03Check Point ResearchCheckpoint Research
Chinese Threat Actors Targeting Europe in SmugX Campaign
PlugX SmugX
2023-05-15SymantecThreat Hunter Team
Lancefly: Group Uses Custom Backdoor to Target Orgs in Government, Aviation, Other Sectors
Merdoor PlugX ShadowPad ZXShell Lancefly
New Mustang Panda’s campaing against Australia
M-Trends 2023
QUIETEXIT AppleJeus Black Basta BlackCat CaddyWiper Cobalt Strike Dharma HermeticWiper Hive INDUSTROYER2 Ladon LockBit Meterpreter PartyTicket PlugX QakBot REvil Royal Ransom SystemBC WhisperGate
2023-03-30Recorded FutureInsikt Group
With KEYPLUG, China’s RedGolf Spies On, Steals From Wide Field of Targets
KEYPLUG Cobalt Strike PlugX RedGolf
PlugX Malware Being Distributed via Vulnerability Exploitation
2023-03-09SophosGabor Szappanos
A border-hopping PlugX USB worm takes its act on the road
2023-02-24Trend MicroBuddy Tancio, Catherine Loveria, Jed Valderama
Investigating the PlugX Trojan Disguised as a Legitimate Windows Debugger Tool
2023-02-02EclecticIQEclecticIQ Threat Research Team
Mustang Panda APT Group Uses European Commission-Themed Lure to Deliver PlugX Malware
2023-01-26Palo Alto Networks Unit 42Jen Miller-Osborn, Mike Harbison
Chinese PlugX Malware Hidden in Your USB Devices?
2023-01-26TEAMT5Still Hsu
Brief History of MustangPanda and its PlugX Evolution
2023-01-09kienmanowar Blogm4n0w4r, Tran Trung Kien
[QuickNote] Another nice PlugX sample
2022-12-27kienmanowar Blogm4n0w4r, Tran Trung Kien
Diving into a PlugX sample of Mustang Panda group
2022-12-22Recorded FutureInsikt Group
RedDelta Targets European Government Organizations and Continues to Iterate Custom PlugX Variant
PlugX RedDelta
2022-12-06BlackberryBlackBerry Research & Intelligence Team
Mustang Panda Uses the Russian-Ukrainian War to Attack Europe and Asia Pacific Targets
2022-12-02Avast DecodedThreat Intelligence Team
Hitching a ride with Mustang Panda
2022-11-30FFRI SecurityMatsumoto
Evolution of the PlugX loader
PlugX Poison Ivy
2022-10-06BlackberryThe BlackBerry Research & Intelligence Team
Mustang Panda Abuses Legitimate Apps to Target Myanmar Based Victims
2022-09-29SymantecThreat Hunter Team
Witchetty: Group Uses Updated Toolset in Attacks on Governments in Middle East
CHINACHOPPER Lookback MimiKatz PlugX Unidentified 096 (Keylogger) x4 Witchetty
2022-09-26Palo Alto Networks Unit 42Daniela Shalev, Itay Gamliel
Hunting for Unsigned DLLs to Find APTs
PlugX Raspberry Robin Roshtyak
2022-09-14Security JoesFelipe Duarte
Dissecting PlugX to Extract Its Crown Jewels
2022-09-13SymantecThreat Hunter Team
New Wave of Espionage Activity Targets Asian Governments
MimiKatz PlugX Quasar RAT ShadowPad Trochilus RAT
2022-09-09Github (m4now4r)m4n0w4r
“Mustang Panda” – Enemy at the gate
2022-09-08CybereasonAleksandar Milenkoski, Kotaro Ogino, Yuki Shibuya
Threat Analysis Report: PlugX RAT Loader Evolution
2022-09-08SecureworksCounter Threat Unit ResearchTeam
BRONZE PRESIDENT Targets Government Officials
2022-07-18YouTube (Security Joes)Felipe Duarte
PlugX DLL Side-Loading Technique
2022-07-18Palo Alto Networks Unit 42Unit 42
Shallow Taurus
FormerFirstRAT IsSpace NewCT PlugX Poison Ivy Tidepool DragonOK
2022-06-27Kaspersky ICS CERTArtem Snegirev, Kirill Kruglov
Attacks on industrial control systems using ShadowPad
Cobalt Strike PlugX ShadowPad
2022-06-23SecureworksCounter Threat Unit ResearchTeam
BRONZE STARLIGHT Ransomware Operations Use HUI Loader
ATOMSILO Cobalt Strike HUI Loader LockFile NightSky Pandora PlugX Quasar RAT Rook SodaMaster BRONZE STARLIGHT
2022-05-23Trend MicroDaniel Lunghi, Jaromír Hořejší
Operation Earth Berberoka
reptile oRAT Ghost RAT PlugX pupy Earth Berberoka
2022-05-20VinCSSDang Dinh Phuong, m4n0w4r, Tran Trung Kien
[RE027] China-based APT Mustang Panda might have still continued their attack activities against organizations in Vietnam
2022-05-17Positive TechnologiesPositive Technologies
Space Pirates: analyzing the tools and connections of a new hacker group
FormerFirstRAT PlugX Poison Ivy Rovnix ShadowPad Zupdax
2022-05-16JPCERT/CCShusei Tomonaga
Analysis of HUI Loader
HUI Loader PlugX Poison Ivy Quasar RAT
2022-05-12TEAMT5Leon Chang, Silvia Yeh
The Next Gen PlugX/ShadowPad? A Dive into the Emerging China-Nexus Modular Trojan, Pangolin8RAT (slides)
KEYPLUG Cobalt Strike CROSSWALK FunnySwitch PlugX ShadowPad Winnti SLIME29 TianWu
2022-05-05Cisco TalosAliza Berk, Asheer Malhotra, Jung soo An, Justin Thattil, Kendall McKay
Mustang Panda deploys a new wave of malware targeting Europe
Cobalt Strike Meterpreter PlugX Unidentified 094
2022-05-02Sentinel LABSAmitai Ben Shushan Ehrlich, Joey Chen
Moshen Dragon’s Triad-and-Error Approach | Abusing Security Software to Sideload PlugX and ShadowPad
PlugX ShadowPad Moshen Dragon
2022-04-28PWCPWC UK
Cyber Threats 2021: A Year in Retrospect (Annex)
Cobalt Strike Conti PlugX RokRAT Inception Framework Red Menshen
2022-04-28DARKReadingJai Vijayan
Chinese APT Bronze President Mounts Spy Campaign on Russian Military
2022-04-27SecureworksCounter Threat Unit ResearchTeam
BRONZE PRESIDENT Targets Russian Speakers with Updated PlugX
2022-04-27TrendmicroDaniel Lunghi, Jaromír Hořejší
Operation Gambling Puppet
reptile oRAT AsyncRAT Cobalt Strike DCRat Ghost RAT PlugX Quasar RAT Trochilus RAT Earth Berberoka
IOCs for Earth Berberoka - Windows
AsyncRAT Cobalt Strike PlugX Quasar RAT Earth Berberoka
2022-04-27Trend MicroDaniel Lunghi, Jaromír Hořejší
New APT Group Earth Berberoka Targets Gambling Websites With Old and New Malware
HelloBot AsyncRAT Ghost RAT HelloBot PlugX Quasar RAT Earth Berberoka
2022-04-14NSHC RedAlert LabsNSHC Threatrecon Team
Hacking activity of SectorB Group in 2021 Chinese government supported hacking group SectorB
2022-04-12Max Kersten's BlogMax Kersten
Ghidra script to handle stack strings
CaddyWiper PlugX
2022-03-28TrellixMarc Elias, Max Kersten
PlugX: A Talisman to Behold
2022-03-25ESET ResearchAlexandre Côté Cyr
Mustang Panda's Hodur: Old stuff, new variant of Korplug
2022-03-24Threat PostNate Nelson
Chinese APT Combines Fresh Hodur RAT with Complex Anti-Detection
2022-03-23ESET ResearchAlexandre Côté Cyr
Mustang Panda’s Hodur: Old tricks, new Korplug variant
2022-03-23BleepingComputerBill Toulas
New Mustang Panda hacking campaign targets diplomats, ISPs
2022-03-07ProofpointMichael Raggi, Myrtus 0x0
The Good, the Bad, and the Web Bug: TA416 Increases Operational Tempo Against European Governments as Conflict in Ukraine Escalates
2022-02-17SinaCyberAdam Kozy
Testimony before the U.S.-China Economic and Security Review Commission Hearing on “China’s Cyber Capabilities: Warfare, Espionage, and Implications for the United States”
PlugX APT26 APT41
2022-01-06Cyber And Ramen blogMike R
A “GULP” of PlugX
2021-12-01ESET ResearchAlexis Dorais-Joncas, Facundo Muñoz
Jumping the air gap: 15 years of nation‑state effort
Agent.BTZ Fanny Flame Gauss PlugX Ramsay Retro Stuxnet USBCulprit USBferry
2021-11-18CiscoJosh Pyorre
BlackMatter, LockBit, and THOR
BlackMatter LockBit PlugX
2021-11-04Youtube (Virus Bulletin)Joey Chen, Yi-Jhen Hsieh
ShadowPad: the masterpiece of privately sold malware in Chinese espionage
PlugX ShadowPad
2021-10-18NortonLifeLockNorton Labs
Operation Exorcist - 7 Years of Targeted Attacks against the Roman Catholic Church
NewBounce PlugX Zupdax
2021-09-28Recorded FutureInsikt Group®
4 Chinese APT Groups Identified Targeting Mail Server of Afghan Telecommunications Firm Roshan
PlugX Winnti
2021-09-14McAfeeChristiaan Beek
Operation ‘Harvest’: A Deep Dive into a Long-term Campaign
MimiKatz PlugX Winnti
2021-09-10The RecordCatalin Cimpanu
Indonesian intelligence agency compromised in suspected Chinese hack
2021-09-01YouTube (Black Hat)Aragorn Tseng, Charles Li
Mem2Img: Memory-Resident Malware Detection via Convolution Neural Network
Cobalt Strike PlugX Waterbear
2021-09-01YouTube (Hack In The Box Security Conference)Joey Chen, Yi-Jhen Hsieh
SHADOWPAD: Chinese Espionage Malware-as-a-Service
PlugX ShadowPad
2021-08-23SentinelOneJoey Chen, Yi-Jhen Hsieh
ShadowPad: the Masterpiece of Privately Sold Malware in Chinese Espionage
PlugX ShadowPad
2021-07-27Palo Alto Networks Unit 42Alex Hinchliffe, Mike Harbison
THOR: Previously Unseen PlugX Variant Deployed During Microsoft Exchange Server Attacks by PKPLUG Group
2021-07-21BitdefenderBogdan Botezatu, Victor Vrabie
LuminousMoth – PlugX, File Exfiltration and Persistence Revisited
2021-06-16Recorded FutureInsikt Group®
Threat Activity Group RedFoxtrot Linked to China’s PLA Unit 69010; Targets Bordering Asian Countries
Icefog PcShare PlugX Poison Ivy QuickHeal DAGGER PANDA
2021-06-02xorhex blogTwitter (@xorhex)
RedDelta PlugX Undergoing Changes and Overlapping Again with Mustang Panda PlugX Infrastructure
2021-06-02Twitter (@xorhex)Xorhex
Tweet on new variant of PlugX from RedDelta Group
2021-05-27xorhex blogTwitter (@xorhex)
Mustang Panda PlugX - Reused Mutex and Folder Found in the Extracted Config
2021-05-17xorhex blogTwitter (@xorhex)
Mustang Panda PlugX - Pivot
2021-05-07TEAMT5Aragorn Tseng, Charles Li
Mem2Img: Memory-Resident Malware Detection via Convolution Neural Network
Cobalt Strike PlugX Waterbear
2021-03-29The RecordCatalin Cimpanu
RedEcho group parks domains after public exposure
PlugX ShadowPad RedEcho
2021-03-25Recorded FutureInsikt Group®
Suspected Chinese Group Calypso APT Exploiting Vulnerable Microsoft Exchange Servers
Meterpreter PlugX
2021-03-17Recorded FutureInsikt Group®
China-linked TA428 Continues to Target Russia and Mongolia IT Companies
PlugX Poison Ivy TA428
2021-03-10ESET ResearchMathieu Tartare, Matthieu Faou, Thomas Dupuy
Exchange servers under siege from at least 10 APT groups
Microcin MimiKatz PlugX Winnti APT27 APT41 Calypso Tick ToddyCat Tonto Team Vicious Panda
2021-02-28PWC UKPWC UK
Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Sea Turtle Tonto Team
2021-02-28Recorded FutureInsikt Group®
China-Linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions
Icefog PlugX ShadowPad
2021-02-28Recorded FutureInsikt Group®
China-linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions
PlugX ShadowPad RedEcho
2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader Evilnum OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER
2021-02-08Myanmar Computer Emergency Response TeamMyanmar Computer Emergency Response Team
PlugX Removal Guide Version 1.2
2021-01-20Trend MicroAbraham Camba, Gilbert Sison, Ryan Maglaque
XDR investigation uncovers PlugX, unique technique in APT attack
2021-01-15SwisscomMarkus Neis
Cracking a Soft Cell is Harder Than You Think
Ghost RAT MimiKatz PlugX Poison Ivy Trochilus RAT
2021-01-14PTSecurityPT ESC Threat Intelligence
Higaisa or Winnti? APT41 backdoors, old and new
Cobalt Strike CROSSWALK FunnySwitch PlugX ShadowPad
2021-01-09Marco Ramilli's BlogMarco Ramilli
Command and Control Traffic Patterns
ostap LaZagne Agent Tesla Azorult Buer Cobalt Strike DanaBot DarkComet Dridex Emotet Formbook IcedID ISFB NetWire RC PlugX Quasar RAT SmokeLoader TrickBot
2021-01-04Bleeping ComputerIonut Ilascu
China's APT hackers move to ransomware attacks
Clambling PlugX
2020-12-24IronNetAdam Hlavek
China cyber attacks: the current threat landscape
PLEAD TSCookie FlowCloud Lookback PLEAD PlugX Quasar RAT Winnti
2020-12-10ESET ResearchMathieu Tartare
Operation StealthyTrident: corporate software under attack
HyperBro PlugX ShadowPad Tmanger
2020-12-10ESET ResearchMathieu Tartare
Operation StealthyTrident: corporate software under attack
HyperBro PlugX Tmanger TA428
2020-12-09Avast DecodedIgor Morgenstern, Luigino Camastra
APT Group Targeting Governmental Agencies in East Asia
Albaniiutas HyperBro PlugX PolPo Tmanger
2020-12-09Avast DecodedIgor Morgenstern, Luigino Camastra
APT Group Targeting Governmental Agencies in East Asia
Albaniiutas HyperBro PlugX Tmanger TA428
2020-11-23ProofpointProofpoint Threat Research Team
TA416 Goes to Ground and Returns with a Golang PlugX Malware Loader
2020-11-20Trend MicroAbraham Camba, Bren Matthew Ebriega, Gilbert Sison
Weaponizing Open Source Software for Targeted Attacks
LaZagne Defray PlugX
2020-11-04SophosGabor Szappanos
A new APT uses DLL side-loads to “KilllSomeOne”
KilllSomeOne PlugX
2020-11-03Kaspersky LabsGReAT
APT trends report Q3 2020
WellMail EVILNUM Janicab Poet RAT AsyncRAT Ave Maria Cobalt Strike Crimson RAT CROSSWALK Dtrack LODEINFO MoriAgent Okrum PlugX poisonplug Rover ShadowPad SoreFang Winnti
Study of the ShadowPad APT backdoor and its relation to PlugX
Ghost RAT PlugX ShadowPad
2020-09-18SymantecThreat Hunter Team
APT41: Indictments Put Chinese Espionage Group in the Spotlight
CROSSWALK PlugX poisonplug ShadowPad Winnti
2020-09-15Recorded FutureInsikt Group®
Back Despite Disruption: RedDelta Resumes Operations
2020-09-11ThreatConnectThreatConnect Research Team
Research Roundup: Activity on Previously Identified APT33 Domains
Emotet PlugX APT33
2020-07-29ESET Researchwelivesecurity
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos PlugX Pony REvil Socelars STOP Tinba TrickBot WannaCryptor
2020-07-29Recorded FutureInsikt Group
Chinese State-sponsored Group RedDelta Targets the Vatican and Catholic Organizations
2020-07-29Kaspersky LabsGReAT
APT trends report Q2 2020
PhantomLance Dacls Penquin Turla elf.wellmess AppleJeus Dacls AcidBox Cobalt Strike Dacls EternalPetya Godlike12 Olympic Destroyer PlugX shadowhammer ShadowPad Sinowal VHD Ransomware Volgmer WellMess X-Agent XTunnel
2020-07-28NTTNTT Security
CraftyPanda 標的型攻撃解析レポート
Ghost RAT PlugX
2020-07-20Risky.bizDaniel Gordon
What even is Winnti?
CCleaner Backdoor Ghost RAT PlugX ZXShell
Study of the APT attacks on state institutions in Kazakhstan and Kyrgyzstan
Microcin Mirage PlugX WhiteBird
Reverse Engineering the New Mustang Panda PlugX Downloader
2020-07-15ZDNetCatalin Cimpanu
Chinese state hackers target Hong Kong Catholic Church
Reverse Engineering the Mustang Panda PlugX RAT – Extracting the Config
2020-07-01ContextisLampros Noutsos, Oliver Fay
DLL Search Order Hijacking
Cobalt Strike PlugX
2020-06-03Kaspersky LabsGiampaolo Dedola, GReAT, Mark Lechtik
Cycldek: Bridging the (air) gap
8.t Dropper NewCore RAT PlugX USBCulprit GOBLIN PANDA Hellsing
2020-06-02Lab52Jagaimo Kawaii
Mustang Panda Recent Activity: Dll-Sideloading trojans with temporal C2 servers
Reverse Engineering the Mustang Panda PlugX Loader
2020-05-15Twitter (@stvemillertime)Steve Miller
Tweet on SOGU development timeline, including TIGERPLUG IOCs
The energy reserves in the Eastern Mediterranean Sea and a malicious campaign of APT10 against Turkey
Cobalt Strike HTran MimiKatz PlugX Quasar RAT
2020-05-01Viettel CybersecurityCyberthreat
Chiến dịch của nhóm APT Trung Quốc Goblin Panda tấn công vào Việt Nam lợi dụng đại dịch Covid-19 (phần 1)
NewCore RAT PlugX
2020-03-22AnomaliAnomali Threat Research
COVID-19 Themes Are Being Utilized by Threat Actors of Varying Sophistication
Analysis of malware taking advantage of the Covid-19 epidemic to spread fake "Directive of Prime Minister Nguyen Xuan Phuc" - Part 2
[RE012] Analysis of malware taking advantage of the Covid-19 epidemic to spread fake "Directive of Prime Minister Nguyen Xuan Phuc" - Part 1
2020-03-02Virus BulletinAlex Hinchliffe
Pulling the PKPLUG: the adversary playbook for the long-standing espionage activity of a Chinese nation-state adversary
HenBox Farseer PlugX Poison Ivy
APT10 Threat Analysis Report
CHINACHOPPER HTran MimiKatz PlugX Quasar RAT
2020-02-18Trend MicroCedric Pernet, Daniel Lunghi, Jamz Yaneza, Kenney Lu
Uncovering DRBControl: Inside the Cyberespionage Campaign Targeting Gambling Operations
Cobalt Strike HyperBro PlugX Trochilus RAT
2020-02-17Talent-Jump TechnologiesTheo Chen, Zero Chen
CLAMBLING - A New Backdoor Base On Dropbox
HyperBro PlugX
2020-01-31AviraShahab Hamzeloofard
New wave of PlugX targets Hong Kong
2020-01-31YouTube (Context Information Security)Contextis
New AVIVORE threat group – how they operate and managing the risk
Speculoos Winnti ACEHASH CCleaner Backdoor CHINACHOPPER Empire Downloader HTran MimiKatz PlugX Winnti APT41
9002 RAT CHINACHOPPER IsSpace NewCT PlugX smac APT26
9002 RAT Derusbi Empire Downloader PlugX Poison Ivy APT19
9002 RAT BLACKCOFFEE DeputyDog Derusbi HiKit PlugX Poison Ivy ZXShell APT17
Aveo DDKONG IsSpace PLAINTEE PlugX Rambo DragonOK
Anel ChChes Cobalt Strike PlugX Poison Ivy Quasar RAT RedLeaves APT10
9002 RAT CHINACHOPPER Enfal Ghost RAT HttpBrowser HyperBro owaauth PlugX Poison Ivy ZXShell APT27
PlugX Zeus Roaming Tiger
2020-01-01DragosJoe Slowik
Threat Intelligence and the Limits of Malware Analysis
Exaramel Exaramel Industroyer Lookback NjRAT PlugX
2019-12-29SecureworksCTU Research Team
2019-11-16Silas Cutler's BlogSilas Cutler
Fresh PlugX October 2019
2019-11-11Virus BulletinHiroshi Soeda, Shusei Tomonaga, Tomoaki Tani, Wataru Takahashi
APT cases exploiting vulnerabilities in region‑specific software
NodeRAT Emdivi PlugX
Calypso APT: new group attacking state institutions
BYEBY FlyingDutchman Hussar PlugX
AVIVORE - An overview of Tools, Techniques and Procedures (Whitepaper)
PlugX Avivore
2019-10-03Palo Alto Networks Unit 42Alex Hinchliffe
PKPLUG: Chinese Cyber Espionage Group Attacking Asia
HenBox Farseer PlugX
2019-10-03ComputerWeeklyAlex Scroxton
New threat group behind Airbus cyber attacks, claim researchers
PlugX Avivore
Derusbi MESSAGETAP Winnti ASPXSpy BLACKCOFFEE CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT MimiKatz NjRAT PlugX ShadowPad Winnti ZXShell APT41
2019-06-19YouTube (44CON Information Security Conference)Kevin O’Reilly
The Malware CAPE: Automated Extraction of Configuration and Payloads from Sophisticated Malware
2019-06-03FireEyeChi-en Shen
Into the Fog - The Return of ICEFOG APT
Icefog PlugX Sarhust
2019-05-24FortinetBen Hunter
Uncovering new Activity by APT10
PlugX Quasar RAT
2019-03-19NSHCThreatRecon Team
SectorM04 Targeting Singapore – An Analysis
PlugX Termite
2018-12-14Australian Cyber Security CentreASD
Investigationreport: Compromise of an Australian companyvia their Managed Service Provider
PlugX RedLeaves
2018-08-21Trend MicroJaromír Hořejší, Joseph C Chen, Kawabata Kohei, Kenney Lu
Operation Red Signature Targets South Korean Companies
9002 RAT PlugX Operation Red Signature
2018-07-31Medium SebdravenSébastien Larinier
Malicious document targets Vietnamese officials
8.t Dropper PlugX 1937CN
2018-05-09COUNT UPON SECURITYLuis Rocha
Malware Analysis - PlugX - Part 2
2018-03-13Kaspersky LabsDenis Makrushin, Yury Namestnikov
Time of death? A therapeutic postmortem of connected medicine
2018-02-04COUNT UPON SECURITYLuis Rocha
2017-12-18LACYoshihiro Ishikawa
Relationship between PlugX and attacker group "DragonOK"
2017-06-27Palo Alto Networks Unit 42Esmid Idrizovic, Tom Lancaster
Paranoid PlugX
Derusbi 9002 RAT BLACKCOFFEE Derusbi Ghost RAT HiKit PlugX ZXShell APT17
Alert (TA17-117A): Intrusions Affecting Multiple Victims Across Multiple Sectors
PlugX RedLeaves
2017-04-03JPCERT/CCShusei Tomonaga
RedLeaves - Malware Based on Open Source RAT
PlugX RedLeaves Trochilus RAT
Operation Cloud Hopper: Technical Annex
ChChes PlugX Quasar RAT RedLeaves Trochilus RAT
2017-02-21JPCERT/CCShusei Tomonaga
PlugX + Poison Ivy = PlugIvy? - PlugX Integrating Poison Ivy’s Code
2017-02-13RSARSA Research
CodeKey PlugX
2016-08-25MalwarebytesMalwarebytes Labs
Unpacking the spyware disguised as antivirus
2016-06-13Macnica NetworksMacnica Networks
Survey of the actual situation of the large-scale cyber spy activity that hit Japan | 1st edition
Emdivi PlugX
2016-01-22RSA LinkNorton Santos
PlugX APT Malware
2015-08-01Arbor NetworksASERT Team
Uncovering the Seven Pointed Dagger
9002 RAT EvilGrab PlugX Trochilus RAT APT9
CrowdStrike Global Threat Intel Report 2014
BlackPOS CryptoLocker Derusbi Elise Enfal EvilGrab Gameover P2P HttpBrowser Medusa Mirage Naikon NetTraveler pirpi PlugX Poison Ivy Sakula RAT Sinowal sykipot taidoor
2015-01-29JPCERT/CCShusei Tomonaga
Analysis of a Recent PlugX Variant - “P2P PlugX”
2014-06-27SophosLabsGabor Szappanos
PlugX - The Next Generation
2014-06-10FireEyeMike Scott
Clandestine Fox, Part Deux
2014-01-06AirbusFabien Perigaud
PlugX: some uncovered points
2013-03-29Computer Incident Response Center LuxembourgCIRCL
Analysis Report (TLP:WHITE) Analysis of a PlugX variant (PlugX version 7.0)
2013-03-26ContextisKevin O’Reilly
PlugX–Payload Extraction
2013-02-27Trend MicroAbraham Camba
BKDR_RARSTONE: New RAT to Watch Out For
PlugX Naikon
2012-02-10tracker.h3x.euMalware Corpus Tracker
Info for Family: plugx
Yara Rules
[TLP:WHITE] win_plugx_auto (20230808 | Detects win.plugx.)
rule win_plugx_auto {

        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.plugx."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = ""
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.

        $sequence_0 = { 51 56 57 6a1c 8bf8 }
            // n = 5, score = 1300
            //   51                   | push                ecx
            //   56                   | push                esi
            //   57                   | push                edi
            //   6a1c                 | push                0x1c
            //   8bf8                 | mov                 edi, eax

        $sequence_1 = { 33d2 f7f3 33d2 8945fc }
            // n = 4, score = 1300
            //   33d2                 | xor                 edx, edx
            //   f7f3                 | div                 ebx
            //   33d2                 | xor                 edx, edx
            //   8945fc               | mov                 dword ptr [ebp - 4], eax

        $sequence_2 = { 55 8bec a1???????? 83ec5c 53 }
            // n = 5, score = 1300
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   a1????????           |                     
            //   83ec5c               | sub                 esp, 0x5c
            //   53                   | push                ebx

        $sequence_3 = { 55 8bec 51 0fb74612 }
            // n = 4, score = 1300
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   51                   | push                ecx
            //   0fb74612             | movzx               eax, word ptr [esi + 0x12]

        $sequence_4 = { 51 53 6a00 6a00 6a02 ffd0 85c0 }
            // n = 7, score = 1300
            //   51                   | push                ecx
            //   53                   | push                ebx
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   6a02                 | push                2
            //   ffd0                 | call                eax
            //   85c0                 | test                eax, eax

        $sequence_5 = { 41 3bca 7ce0 3bca }
            // n = 4, score = 1300
            //   41                   | inc                 ecx
            //   3bca                 | cmp                 ecx, edx
            //   7ce0                 | jl                  0xffffffe2
            //   3bca                 | cmp                 ecx, edx

        $sequence_6 = { 56 8b750c 8b4604 050070ffff }
            // n = 4, score = 1300
            //   56                   | push                esi
            //   8b750c               | mov                 esi, dword ptr [ebp + 0xc]
            //   8b4604               | mov                 eax, dword ptr [esi + 4]
            //   050070ffff           | add                 eax, 0xffff7000

        $sequence_7 = { 6a00 6800100000 6800100000 68ff000000 6a00 6803000040 }
            // n = 6, score = 1000
            //   6a00                 | push                0
            //   6800100000           | push                0x1000
            //   6800100000           | push                0x1000
            //   68ff000000           | push                0xff
            //   6a00                 | push                0
            //   6803000040           | push                0x40000003

        $sequence_8 = { e8???????? 3de5030000 7407 e8???????? }
            // n = 4, score = 900
            //   e8????????           |                     
            //   3de5030000           | cmp                 eax, 0x3e5
            //   7407                 | je                  9
            //   e8????????           |                     

        $sequence_9 = { e8???????? 85c0 7508 e8???????? 8945fc }
            // n = 5, score = 900
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   7508                 | jne                 0xa
            //   e8????????           |                     
            //   8945fc               | mov                 dword ptr [ebp - 4], eax

        $sequence_10 = { 50 ff15???????? a3???????? 8b4d18 }
            // n = 4, score = 900
            //   50                   | push                eax
            //   ff15????????         |                     
            //   a3????????           |                     
            //   8b4d18               | mov                 ecx, dword ptr [ebp + 0x18]

        $sequence_11 = { 85c0 7413 e8???????? 3de5030000 }
            // n = 4, score = 900
            //   85c0                 | test                eax, eax
            //   7413                 | je                  0x15
            //   e8????????           |                     
            //   3de5030000           | cmp                 eax, 0x3e5

        $sequence_12 = { e8???????? 85c0 7407 b84f050000 }
            // n = 4, score = 800
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   7407                 | je                  9
            //   b84f050000           | mov                 eax, 0x54f

        $sequence_13 = { e8???????? 85c0 750a e8???????? 8945fc }
            // n = 5, score = 700
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   750a                 | jne                 0xc
            //   e8????????           |                     
            //   8945fc               | mov                 dword ptr [ebp - 4], eax

        $sequence_14 = { 6a00 6a04 6a00 6a01 6800000040 57 }
            // n = 6, score = 700
            //   6a00                 | push                0
            //   6a04                 | push                4
            //   6a00                 | push                0
            //   6a01                 | push                1
            //   6800000040           | push                0x40000000
            //   57                   | push                edi

        $sequence_15 = { 6a00 6819000200 6a00 6a00 6a00 51 }
            // n = 6, score = 600
            //   6a00                 | push                0
            //   6819000200           | push                0x20019
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   51                   | push                ecx

        $sequence_16 = { 56 56 6a01 56 ffd0 }
            // n = 5, score = 600
            //   56                   | push                esi
            //   56                   | push                esi
            //   6a01                 | push                1
            //   56                   | push                esi
            //   ffd0                 | call                eax

        $sequence_17 = { 85c0 750d e8???????? 8945f4 }
            // n = 4, score = 600
            //   85c0                 | test                eax, eax
            //   750d                 | jne                 0xf
            //   e8????????           |                     
            //   8945f4               | mov                 dword ptr [ebp - 0xc], eax

        $sequence_18 = { 57 e8???????? eb0c e8???????? }
            // n = 4, score = 500
            //   57                   | push                edi
            //   e8????????           |                     
            //   eb0c                 | jmp                 0xe
            //   e8????????           |                     

        $sequence_19 = { 50 ff75e8 6802000080 e8???????? }
            // n = 4, score = 400
            //   50                   | push                eax
            //   ff75e8               | push                dword ptr [ebp - 0x18]
            //   6802000080           | push                0x80000002
            //   e8????????           |                     

        $sequence_20 = { 6a00 ff7028 e8???????? 83c408 85c0 }
            // n = 5, score = 400
            //   6a00                 | push                0
            //   ff7028               | push                dword ptr [eax + 0x28]
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   85c0                 | test                eax, eax

        $sequence_21 = { 6808020000 6a00 ff742450 e8???????? 83c40c }
            // n = 5, score = 400
            //   6808020000           | push                0x208
            //   6a00                 | push                0
            //   ff742450             | push                dword ptr [esp + 0x50]
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc

        $sequence_22 = { 6a02 6a00 e8???????? c705????????00000000 }
            // n = 4, score = 400
            //   6a02                 | push                2
            //   6a00                 | push                0
            //   e8????????           |                     
            //   c705????????00000000     |     

        $sequence_23 = { 6800080000 68???????? e8???????? 6800080000 68???????? e8???????? }
            // n = 6, score = 400
            //   6800080000           | push                0x800
            //   68????????           |                     
            //   e8????????           |                     
            //   6800080000           | push                0x800
            //   68????????           |                     
            //   e8????????           |                     

        $sequence_24 = { 5e 5f 5b 5d c3 64a118000000 }
            // n = 6, score = 400
            //   5e                   | pop                 esi
            //   5f                   | pop                 edi
            //   5b                   | pop                 ebx
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   64a118000000         | mov                 eax, dword ptr fs:[0x18]

        $sequence_25 = { 81ec90010000 e8???????? e8???????? e8???????? }
            // n = 4, score = 400
            //   81ec90010000         | sub                 esp, 0x190
            //   e8????????           |                     
            //   e8????????           |                     
            //   e8????????           |                     

        $sequence_26 = { 68???????? 6830750000 68e8030000 ff36 }
            // n = 4, score = 400
            //   68????????           |                     
            //   6830750000           | push                0x7530
            //   68e8030000           | push                0x3e8
            //   ff36                 | push                dword ptr [esi]

        $sequence_27 = { 5f 5b 5d c20400 55 53 57 }
            // n = 7, score = 400
            //   5f                   | pop                 edi
            //   5b                   | pop                 ebx
            //   5d                   | pop                 ebp
            //   c20400               | ret                 4
            //   55                   | push                ebp
            //   53                   | push                ebx
            //   57                   | push                edi

        $sequence_28 = { 50 56 ffb42480000000 ff15???????? }
            // n = 4, score = 400
            //   50                   | push                eax
            //   56                   | push                esi
            //   ffb42480000000       | push                dword ptr [esp + 0x80]
            //   ff15????????         |                     

        $sequence_29 = { 6808020000 6a00 ff74242c e8???????? }
            // n = 4, score = 400
            //   6808020000           | push                0x208
            //   6a00                 | push                0
            //   ff74242c             | push                dword ptr [esp + 0x2c]
            //   e8????????           |                     

        $sequence_30 = { 6a01 6a00 e8???????? a3???????? 6800080000 }
            // n = 5, score = 400
            //   6a01                 | push                1
            //   6a00                 | push                0
            //   e8????????           |                     
            //   a3????????           |                     
            //   6800080000           | push                0x800

        7 of them and filesize < 1284096
[TLP:WHITE] win_plugx_w1   (20170517 | PlugX Identifying Strings)
rule win_plugx_w1 {
        description = "PlugX Identifying Strings"
        author = "Seth Hardy"
        last_modified = "2014-06-12"
		source = ""
        malpedia_reference = ""
        malpedia_version = "20170517"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
        $BootLDR = "boot.ldr" wide ascii
        $Dwork = "d:\\work" nocase
        $Plug25 = "plug2.5"
        $Plug30 = "Plug3.0"
        $Shell6 = "Shell6"
        $BootLDR or ($Dwork and ($Plug25 or $Plug30 or $Shell6))
[TLP:WHITE] win_plugx_w2   (20170517 | PlugX RAT)
rule win_plugx_w2 {
		author = "Jean-Philippe Teissier / @Jipe_"
		description = "PlugX RAT"
		date = "2014-05-13"
		filetype = "memory"
		version = "1.0" 
		ref1 = ""
		source = ""
        malpedia_reference = ""
        malpedia_version = "20170517"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
		$v1a = { 47 55 4C 50 00 00 00 00 }
		$v1b = "/update?id=%8.8x" 
		$v1algoa = { BB 33 33 33 33 2B } 
		$v1algob = { BB 44 44 44 44 2B } 
		$v2a = "Proxy-Auth:" 
		$v2b = { 68 A0 02 00 00 } 
		$v2k = { C1 8F 3A 71 } 
		$v1a at 0 or $v1b or (($v2a or $v2b) and (($v1algoa and $v1algob) or $v2k))
Download all Yara Rules