| SYMBOL | COMMON_NAME | aka. SYNONYMS |
Actor(s): APT 22, APT 26, APT31, APT41, Aurora Panda, Calypso group, DragonOK, EMISSARY PANDA, Hellsing, Hurricane Panda, Leviathan, Mirage, Mustang Panda, NetTraveler, Nightshade Panda, Samurai Panda, Stone Panda, UPS, Violin Panda
RSA describes PlugX as a RAT (Remote Access Trojan) malware family that is around since 2008 and is used as a backdoor to control the victim's machine fully. Once the device is infected, an attacker can remotely execute several kinds of commands on the affected system.
Notable features of this malware family are the ability to execute commands on the affected machine to retrieve:
machine information
capture the screen
send keyboard and mouse events
keylogging
reboot the system
manage processes (create, kill and enumerate)
manage services (create, start, stop, etc.); and
manage Windows registry entries, open a shell, etc.
The malware also logs its events in a text log file.
| 2022-06-27 ⋅ Kaspersky ICS CERT ⋅ Attacks on industrial control systems using ShadowPad Cobalt Strike PlugX ShadowPad |
| 2022-05-20 ⋅ VinCSS ⋅ [RE027] China-based APT Mustang Panda might have still continued their attack activities against organizations in Vietnam PlugX |
| 2022-05-17 ⋅ Positive Technologies ⋅ Space Pirates: analyzing the tools and connections of a new hacker group FormerFirstRAT PlugX Poison Ivy Rovnix ShadowPad Zupdax |
| 2022-05-16 ⋅ JPCERT/CC ⋅ Analysis of HUI Loader HUI Loader PlugX Poison Ivy Quasar RAT |
| 2022-05-05 ⋅ Cisco Talos ⋅ Mustang Panda deploys a new wave of malware targeting Europe Cobalt Strike Meterpreter PlugX |
| 2022-05-02 ⋅ Sentinel LABS ⋅ Moshen Dragon’s Triad-and-Error Approach | Abusing Security Software to Sideload PlugX and ShadowPad PlugX ShadowPad |
| 2022-04-28 ⋅ PWC ⋅ Cyber Threats 2021: A Year in Retrospect (Annex) Cobalt Strike Conti PlugX RokRAT Red Menshen |
| 2022-04-27 ⋅ Secureworks ⋅ BRONZE PRESIDENT Targets Russian Speakers with Updated PlugX PlugX |
| 2022-04-27 ⋅ Trend Micro ⋅ New APT Group Earth Berberoka Targets Gambling Websites With Old and New Malware AsyncRAT Ghost RAT PlugX Quasar RAT |
| 2022-04-14 ⋅ NSHC RedAlert Labs ⋅ Hacking activity of SectorB Group in 2021 Chinese government supported hacking group SectorB PlugX |
| 2022-04-12 ⋅ Max Kersten's Blog ⋅ Ghidra script to handle stack strings CaddyWiper PlugX |
| 2022-03-28 ⋅ Trellix ⋅ PlugX: A Talisman to Behold PlugX |
| 2022-03-25 ⋅ ESET Research ⋅ Mustang Panda's Hodur: Old stuff, new variant of Korplug PlugX |
| 2022-03-24 ⋅ Threat Post ⋅ Chinese APT Combines Fresh Hodur RAT with Complex Anti-Detection PlugX |
| 2022-03-23 ⋅ ESET Research ⋅ Mustang Panda’s Hodur: Old tricks, new Korplug variant PlugX |
| 2022-03-23 ⋅ BleepingComputer ⋅ New Mustang Panda hacking campaign targets diplomats, ISPs PlugX |
| 2022-03-07 ⋅ Proofpoint ⋅ The Good, the Bad, and the Web Bug: TA416 Increases Operational Tempo Against European Governments as Conflict in Ukraine Escalates PlugX |
| 2022-02-17 ⋅ SinaCyber ⋅ Testimony before the U.S.-China Economic and Security Review Commission Hearing on “China’s Cyber Capabilities: Warfare, Espionage, and Implications for the United States” PlugX |
| 2022-01-06 ⋅ Cyber And Ramen blog ⋅ A “GULP” of PlugX PlugX |
| 2021-12-01 ⋅ ESET Research ⋅ Jumping the air gap: 15 years of nation‑state effort Agent.BTZ Fanny Flame Gauss PlugX Ramsay Retro Stuxnet USBCulprit USBferry |
| 2021-11-18 ⋅ Cisco ⋅ BlackMatter, LockBit, and THOR BlackMatter LockBit PlugX |
| 2021-10-18 ⋅ NortonLifeLock ⋅ Operation Exorcist - 7 Years of Targeted Attacks against the Roman Catholic Church NewBounce PlugX Zupdax |
| 2021-09-28 ⋅ Recorded Future ⋅ 4 Chinese APT Groups Identified Targeting Mail Server of Afghan Telecommunications Firm Roshan PlugX Winnti |
| 2021-09-14 ⋅ McAfee ⋅ Operation ‘Harvest’: A Deep Dive into a Long-term Campaign MimiKatz PlugX Winnti |
| 2021-09-10 ⋅ The Record ⋅ Indonesian intelligence agency compromised in suspected Chinese hack PlugX |
| 2021-09-01 ⋅ YouTube (Black Hat) ⋅ Mem2Img: Memory-Resident Malware Detection via Convolution Neural Network Cobalt Strike PlugX Waterbear |
| 2021-07-27 ⋅ Palo Alto Networks Unit 42 ⋅ THOR: Previously Unseen PlugX Variant Deployed During Microsoft Exchange Server Attacks by PKPLUG Group PlugX |
| 2021-07-21 ⋅ Bitdefender ⋅ LuminousMoth – PlugX, File Exfiltration and Persistence Revisited PlugX |
| 2021-06-02 ⋅ xorhex blog ⋅ RedDelta PlugX Undergoing Changes and Overlapping Again with Mustang Panda PlugX Infrastructure PlugX |
| 2021-06-02 ⋅ Twitter (@xorhex) ⋅ Tweet on new variant of PlugX from RedDelta Group PlugX |
| 2021-05-27 ⋅ xorhex blog ⋅ Mustang Panda PlugX - Reused Mutex and Folder Found in the Extracted Config PlugX |
| 2021-05-17 ⋅ xorhex blog ⋅ Mustang Panda PlugX - 45.251.240.55 Pivot PlugX |
| 2021-05-07 ⋅ TEAMT5 ⋅ Mem2Img: Memory-Resident Malware Detection via Convolution Neural Network Cobalt Strike PlugX Waterbear |
| 2021-03-29 ⋅ The Record ⋅ RedEcho group parks domains after public exposure PlugX ShadowPad RedEcho |
| 2021-03-25 ⋅ Recorded Future ⋅ Suspected Chinese Group Calypso APT Exploiting Vulnerable Microsoft Exchange Servers Meterpreter PlugX |
| 2021-03-17 ⋅ Recorded Future ⋅ China-linked TA428 Continues to Target Russia and Mongolia IT Companies PlugX Poison Ivy |
| 2021-03-10 ⋅ ESET Research ⋅ Exchange servers under siege from at least 10 APT groups Microcin MimiKatz PlugX Winnti ToddyCat |
| 2021-02-28 ⋅ PWC UK ⋅ Cyber Threats 2020: A Year in Retrospect elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare |
| 2021-02-28 ⋅ Recorded Future ⋅ China-linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions PlugX ShadowPad RedEcho |
| 2021-02-28 ⋅ Recorded Future ⋅ China-Linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions Icefog PlugX ShadowPad |
| 2021-02-23 ⋅ CrowdStrike ⋅ 2021 Global Threat Report RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER |
| 2021-01-20 ⋅ Trend Micro ⋅ XDR investigation uncovers PlugX, unique technique in APT attack PlugX |
| 2021-01-15 ⋅ Swisscom ⋅ Cracking a Soft Cell is Harder Than You Think Ghost RAT MimiKatz PlugX Poison Ivy Trochilus RAT |
| 2021-01-14 ⋅ PTSecurity ⋅ Higaisa or Winnti? APT41 backdoors, old and new Cobalt Strike CROSSWALK FunnySwitch PlugX ShadowPad |
| 2021-01-09 ⋅ Marco Ramilli's Blog ⋅ Command and Control Traffic Patterns ostap LaZagne Agent Tesla Azorult Buer Cobalt Strike DanaBot DarkComet Dridex Emotet Formbook IcedID ISFB NetWire RC PlugX Quasar RAT SmokeLoader TrickBot |
| 2021-01-04 ⋅ Bleeping Computer ⋅ China's APT hackers move to ransomware attacks Clambling PlugX |
| 2020-12-24 ⋅ IronNet ⋅ China cyber attacks: the current threat landscape PLEAD TSCookie FlowCloud Lookback PLEAD PlugX Quasar RAT Winnti |
| 2020-12-10 ⋅ ESET Research ⋅ Operation StealthyTrident: corporate software under attack HyperBro PlugX ShadowPad Tmanger |
| 2020-12-09 ⋅ Avast Decoded ⋅ APT Group Targeting Governmental Agencies in East Asia Albaniiutas HyperBro PlugX Tmanger |
| 2020-11-23 ⋅ Proofpoint ⋅ TA416 Goes to Ground and Returns with a Golang PlugX Malware Loader PlugX |
| 2020-11-20 ⋅ Trend Micro ⋅ Weaponizing Open Source Software for Targeted Attacks LaZagne Defray PlugX |
| 2020-11-04 ⋅ Sophos ⋅ A new APT uses DLL side-loads to “KilllSomeOne” KilllSomeOne PlugX |
| 2020-11-03 ⋅ Kaspersky Labs ⋅ APT trends report Q3 2020 WellMail EVILNUM Janicab Poet RAT AsyncRAT Ave Maria Cobalt Strike Crimson RAT CROSSWALK Dtrack LODEINFO MoriAgent Okrum PlugX poisonplug Rover ShadowPad SoreFang Winnti |
| 2020-10-27 ⋅ Dr.Web ⋅ Study of the ShadowPad APT backdoor and its relation to PlugX Ghost RAT PlugX ShadowPad |
| 2020-09-18 ⋅ Symantec ⋅ APT41: Indictments Put Chinese Espionage Group in the Spotlight CROSSWALK PlugX poisonplug ShadowPad Winnti |
| 2020-09-15 ⋅ Recorded Future ⋅ Back Despite Disruption: RedDelta Resumes Operations PlugX |
| 2020-09-11 ⋅ ThreatConnect ⋅ Research Roundup: Activity on Previously Identified APT33 Domains Emotet PlugX APT33 |
| 2020-07-29 ⋅ Kaspersky Labs ⋅ APT trends report Q2 2020 PhantomLance Dacls Penquin Turla elf.wellmess AppleJeus Dacls AcidBox Cobalt Strike Dacls EternalPetya Godlike12 Olympic Destroyer PlugX shadowhammer ShadowPad Sinowal VHD Ransomware Volgmer WellMess X-Agent XTunnel |
| 2020-07-29 ⋅ Recorded Future ⋅ Chinese State-sponsored Group RedDelta Targets the Vatican and Catholic Organizations PlugX |
| 2020-07-29 ⋅ ESET Research ⋅ THREAT REPORT Q2 2020 DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos PlugX Pony REvil Socelars STOP Tinba TrickBot WannaCryptor |
| 2020-07-28 ⋅ NTT ⋅ CraftyPanda 標的型攻撃解析レポート Ghost RAT PlugX |
| 2020-07-20 ⋅ Dr.Web ⋅ Study of the APT attacks on state institutions in Kazakhstan and Kyrgyzstan Microcin Mirage PlugX WhiteBird |
| 2020-07-20 ⋅ or10nlabs ⋅ Reverse Engineering the New Mustang Panda PlugX Downloader PlugX |
| 2020-07-20 ⋅ Risky.biz ⋅ What even is Winnti? CCleaner Backdoor Ghost RAT PlugX ZXShell |
| 2020-07-15 ⋅ ZDNet ⋅ Chinese state hackers target Hong Kong Catholic Church PlugX |
| 2020-07-05 ⋅ or10nlabs ⋅ Reverse Engineering the Mustang Panda PlugX RAT – Extracting the Config PlugX |
| 2020-07-01 ⋅ Contextis ⋅ DLL Search Order Hijacking Cobalt Strike PlugX |
| 2020-06-03 ⋅ Kaspersky Labs ⋅ Cycldek: Bridging the (air) gap 8.t Dropper NewCore RAT PlugX USBCulprit Hellsing |
| 2020-06-02 ⋅ Lab52 ⋅ Mustang Panda Recent Activity: Dll-Sideloading trojans with temporal C2 servers PlugX |
| 2020-05-24 ⋅ or10nlabs ⋅ Reverse Engineering the Mustang Panda PlugX Loader PlugX |
| 2020-05-15 ⋅ Twitter (@stvemillertime) ⋅ Tweet on SOGU development timeline, including TIGERPLUG IOCs PlugX |
| 2020-05-14 ⋅ Lab52 ⋅ The energy reserves in the Eastern Mediterranean Sea and a malicious campaign of APT10 against Turkey Cobalt Strike HTran MimiKatz PlugX Quasar RAT |
| 2020-05-01 ⋅ Viettel Cybersecurity ⋅ Chiến dịch của nhóm APT Trung Quốc Goblin Panda tấn công vào Việt Nam lợi dụng đại dịch Covid-19 (phần 1) NewCore RAT PlugX |
| 2020-03-19 ⋅ VinCSS ⋅ Phân tích mã độc lợi dụng dịch Covid-19 để phát tán giả mạo “Chỉ thị của thủ tướng Nguyễn Xuân Phúc” - Phần 2 PlugX |
| 2020-03-02 ⋅ Virus Bulletin ⋅ Pulling the PKPLUG: the adversary playbook for the long-standing espionage activity of a Chinese nation-state adversary HenBox Farseer PlugX Poison Ivy |
| 2020-02-21 ⋅ ADEO DFIR ⋅ APT10 Threat Analysis Report CHINACHOPPER HTran MimiKatz PlugX Quasar RAT |
| 2020-02-18 ⋅ Trend Micro ⋅ Uncovering DRBControl: Inside the Cyberespionage Campaign Targeting Gambling Operations Cobalt Strike HyperBro PlugX Trochilus RAT |
| 2020-02-17 ⋅ Talent-Jump Technologies ⋅ CLAMBLING - A New Backdoor Base On Dropbox HyperBro PlugX |
| 2020-01-31 ⋅ Avira ⋅ New wave of PlugX targets Hong Kong PlugX |
| 2020-01-31 ⋅ YouTube (Context Information Security) ⋅ New AVIVORE threat group – how they operate and managing the risk PlugX |
| 2020 ⋅ Secureworks ⋅ BRONZE KEYSTONE 9002 RAT BLACKCOFFEE DeputyDog Derusbi HiKit PlugX Poison Ivy ZXShell Aurora Panda |
| 2020 ⋅ Secureworks ⋅ BRONZE RIVERSIDE Anel ChChes Cobalt Strike PlugX Poison Ivy Quasar RAT RedLeaves Stone Panda |
| 2020 ⋅ Secureworks ⋅ BRONZE PRESIDENT CHINACHOPPER Cobalt Strike PlugX Mustang Panda |
| 2020 ⋅ Secureworks ⋅ BRONZE OLIVE ANGRYREBEL PlugX APT 22 |
| 2020 ⋅ Secureworks ⋅ BRONZE FIRESTONE 9002 RAT Derusbi Empire Downloader PlugX Poison Ivy Shell Crew |
| 2020 ⋅ Secureworks ⋅ BRONZE WOODLAND PlugX Zeus Roaming Tiger |
| 2020 ⋅ Secureworks ⋅ BRONZE EXPRESS 9002 RAT CHINACHOPPER IsSpace NewCT PlugX smac APT 26 |
| 2020 ⋅ Secureworks ⋅ BRONZE UNION 9002 RAT CHINACHOPPER Enfal Ghost RAT HttpBrowser HyperBro owaauth PlugX Poison Ivy ZXShell EMISSARY PANDA |
| 2020 ⋅ Secureworks ⋅ BRONZE ATLAS Speculoos Winnti ACEHASH CCleaner Backdoor CHINACHOPPER Empire Downloader HTran MimiKatz PlugX Winnti Axiom |
| 2020 ⋅ Secureworks ⋅ BRONZE OVERBROOK Aveo DDKONG IsSpace PLAINTEE PlugX Rambo DragonOK |
| 2020-01 ⋅ Dragos ⋅ Threat Intelligence and the Limits of Malware Analysis Exaramel Exaramel Industroyer Lookback NjRAT PlugX |
| 2019-12-29 ⋅ Secureworks ⋅ BRONZE PRESIDENT Targets NGOs PlugX BRONZE PRESIDENT |
| 2019-11-16 ⋅ Silas Cutler's Blog ⋅ Fresh PlugX October 2019 PlugX |
| 2019-11-11 ⋅ Virus Bulletin ⋅ APT cases exploiting vulnerabilities in region‑specific software NodeRAT Emdivi PlugX |
| 2019-10-31 ⋅ PTSecurity ⋅ Calypso APT: new group attacking state institutions BYEBY FlyingDutchman Hussar PlugX |
| 2019-10-03 ⋅ Palo Alto Networks Unit 42 ⋅ PKPLUG: Chinese Cyber Espionage Group Attacking Asia HenBox Farseer PlugX |
| 2019-10-03 ⋅ ComputerWeekly ⋅ New threat group behind Airbus cyber attacks, claim researchers PlugX Avivore |
| 2019-10-03 ⋅ Contextis ⋅ AVIVORE – Hunting Global Aerospace through the Supply Chain PlugX Avivore |
| 2019-06-19 ⋅ YouTube (44CON Information Security Conference) ⋅ The Malware CAPE: Automated Extraction of Configuration and Payloads from Sophisticated Malware PlugX |
| 2019-06-03 ⋅ FireEye ⋅ Into the Fog - The Return of ICEFOG APT Icefog PlugX Sarhust |
| 2019-05-24 ⋅ Fortinet ⋅ Uncovering new Activity by APT10 PlugX Quasar RAT |
| 2019-03-19 ⋅ NSHC ⋅ SectorM04 Targeting Singapore – An Analysis PlugX Termite |
| 2018-12-14 ⋅ Australian Cyber Security Centre ⋅ Investigationreport: Compromise of an Australian companyvia their Managed Service Provider PlugX RedLeaves |
| 2018-05-09 ⋅ COUNT UPON SECURITY ⋅ Malware Analysis - PlugX - Part 2 PlugX |
| 2018-03-13 ⋅ Kaspersky Labs ⋅ Time of death? A therapeutic postmortem of connected medicine PlugX |
| 2018-02-04 ⋅ COUNT UPON SECURITY ⋅ MALWARE ANALYSIS – PLUGX PlugX |
| 2017-12-18 ⋅ LAC ⋅ Relationship between PlugX and attacker group "DragonOK" PlugX |
| 2017-06-27 ⋅ Palo Alto Networks Unit 42 ⋅ Paranoid PlugX PlugX |
| 2017-04-27 ⋅ US-CERT ⋅ Alert (TA17-117A): Intrusions Affecting Multiple Victims Across Multiple Sectors PlugX RedLeaves |
| 2017-04-03 ⋅ JPCERT/CC ⋅ RedLeaves - Malware Based on Open Source RAT PlugX RedLeaves Trochilus RAT |
| 2017-04 ⋅ PricewaterhouseCoopers ⋅ Operation Cloud Hopper: Technical Annex ChChes PlugX Quasar RAT RedLeaves Trochilus RAT |
| 2017-02-21 ⋅ JPCERT/CC ⋅ PlugX + Poison Ivy = PlugIvy? - PlugX Integrating Poison Ivy’s Code PlugX |
| 2017-02-13 ⋅ RSA ⋅ KINGSLAYER – A SUPPLY CHAIN ATTACK CodeKey PlugX |
| 2016-08-25 ⋅ Malwarebytes ⋅ Unpacking the spyware disguised as antivirus PlugX |
| 2016-06-13 ⋅ Macnica Networks ⋅ Survey of the actual situation of the large-scale cyber spy activity that hit Japan | 1st edition Emdivi PlugX |
| 2016-01-22 ⋅ RSA Link ⋅ PlugX APT Malware PlugX |
| 2015-08 ⋅ Arbor Networks ⋅ Uncovering the Seven Pointed Dagger 9002 RAT EvilGrab PlugX Trochilus RAT Group 27 |
| 2015-02-06 ⋅ CrowdStrike ⋅ CrowdStrike Global Threat Intel Report 2014 BlackPOS CryptoLocker Derusbi Elise Enfal EvilGrab Gameover P2P HttpBrowser Medusa Mirage Naikon NetTraveler pirpi PlugX Poison Ivy Sakula RAT Sinowal sykipot taidoor |
| 2015-01-29 ⋅ JPCERT/CC ⋅ Analysis of a Recent PlugX Variant - “P2P PlugX” PlugX |
| 2014-06-27 ⋅ SophosLabs ⋅ PlugX - The Next Generation PlugX |
| 2014-06-10 ⋅ FireEye ⋅ Clandestine Fox, Part Deux PlugX |
| 2014-01-06 ⋅ Airbus ⋅ PlugX: some uncovered points PlugX |
| 2013-03-29 ⋅ Computer Incident Response Center Luxembourg ⋅ Analysis Report (TLP:WHITE) Analysis of a PlugX variant (PlugX version 7.0) PlugX |
| 2013-03 ⋅ Contextis ⋅ PlugX–Payload Extraction PlugX |
| 2012-02-10 ⋅ tracker.h3x.eu ⋅ Info for Family: plugx PlugX |