#1 Trusted Cybersecurity News Platform
Followed by 4.50+ million
The Hacker News Logo
Subscribe – Get Latest News
Cybersecurity

PlugX | Breaking Cybersecurity News | The Hacker News

Category — PlugX
Mustang Panda Deploys Advanced Malware to Spy on Asia-Pacific Governments

Mustang Panda Deploys Advanced Malware to Spy on Asia-Pacific Governments

Sep 10, 2024 Cyber Attack / Malware
The threat actor tracked as Mustang Panda has refined its malware arsenal to include new tools in order to facilitate data exfiltration and the deployment of next-stage payloads, according to new findings from Trend Micro. The cybersecurity firm, which is monitoring the activity cluster under the name Earth Preta, said it observed "the propagation of PUBLOAD via a variant of the worm HIUPAN." PUBLOAD is a known downloader malware linked to Mustang Panda since early 2022, deployed as part of cyber attacks targeting government entities in the Asia-Pacific (APAC) region to deliver the PlugX malware . "PUBLOAD was also used to introduce supplemental tools into the targets' environment, such as FDMTP to serve as a secondary control tool, which was observed to perform similar tasks as that of PUBLOAD; and PTSOCKET, a tool used as an alternative exfiltration option," security researchers Lenart Bermejo, Sunny Lu, and Ted Lee said. Mustang Panda's use of re
Two Chinese APT Groups Ramp Up Cyber Espionage Against ASEAN Countries

Two Chinese APT Groups Ramp Up Cyber Espionage Against ASEAN Countries

Mar 27, 2024 Cyber Espionage / Vulnerability
Two China-linked advanced persistent threat (APT) groups have been observed targeting entities and member countries affiliated with the Association of Southeast Asian Nations (ASEAN) as part of a cyber espionage campaign over the past three months. This includes the threat actor known as  Mustang Panda , which has been recently linked to  cyber attacks against Myanmar  as well as other Asian countries with a variant of the PlugX (aka Korplug) backdoor dubbed  DOPLUGS . Mustang Panda, also called Camaro Dragon, Earth Preta, and Stately Taurus, is believed to have targeted entities in Myanmar, the Philippines, Japan and Singapore, targeting them with phishing emails designed to deliver two malware packages. "Threat actors created malware for these packages on March 4-5, 2024, coinciding with the ASEAN-Australia Special Summit (March 4-6, 2024)," Palo Alto Networks Unit 42  said  in a report shared with The Hacker News. One of the malware package is a ZIP file that contains
The Secret Weakness Execs Are Overlooking: Non-Human Identities

The Secret Weakness Execs Are Overlooking: Non-Human Identities

Oct 03, 2024Enterprise Security / Cloud Security
For years, securing a company's systems was synonymous with securing its "perimeter." There was what was safe "inside" and the unsafe outside world. We built sturdy firewalls and deployed sophisticated detection systems, confident that keeping the barbarians outside the walls kept our data and systems safe. The problem is that we no longer operate within the confines of physical on-prem installations and controlled networks. Data and applications now reside in distributed cloud environments and data centers, accessed by users and devices connecting from anywhere on the planet. The walls have crumbled, and the perimeter has dissolved, opening the door to a new battlefield: identity . Identity is at the center of what the industry has praised as the new gold standard of enterprise security: "zero trust." In this paradigm, explicit trust becomes mandatory for any interactions between systems, and no implicit trust shall subsist. Every access request, regardless of its origin,
Mustang Panda Targets Asia with Advanced PlugX Variant DOPLUGS

Mustang Panda Targets Asia with Advanced PlugX Variant DOPLUGS

Feb 21, 2024 Malware / Cyber Espionage
The China-linked threat actor known as Mustang Panda has targeted various Asian countries using a variant of the PlugX (aka Korplug) backdoor dubbed DOPLUGS. "The piece of customized PlugX malware is dissimilar to the general type of the PlugX malware that contains a completed backdoor command module, and that the former is only used for downloading the latter," Trend Micro researchers Sunny Lu and Pierre Lee  said  in a new technical write-up. Targets of DOPLUGS have been primarily located in Taiwan, and Vietnam, and to a lesser extent in Hong Kong, India, Japan, Malaysia, Mongolia, and even China. PlugX is a staple tool of  Mustang Panda , which is also tracked as BASIN, Bronze President, Camaro Dragon, Earth Preta, HoneyMyte, RedDelta, Red Lich, Stately Taurus, TA416, and TEMP.Hex. It's known to be active since at least 2012, although it first came to light in 2017. The threat actor's tradecraft entails carrying out well-forged spear-phishing campaigns that a
cyber security

The State of SaaS Security 2024 Report

websiteAppOmniSaaS Security / Data Security
Learn the latest SaaS security trends and discover how to boost your cyber resilience. Get your free…
Malicious Ads on Google Target Chinese Users with Fake Messaging Apps

Malicious Ads on Google Target Chinese Users with Fake Messaging Apps

Jan 26, 2024 Malvertising / Phishing-as-a-service
Chinese-speaking users have been targeted by malicious Google ads for restricted messaging apps like Telegram as part of an ongoing malvertising campaign. "The threat actor is abusing Google advertiser accounts to create malicious ads and pointing them to pages where unsuspecting users will download Remote Administration Trojan (RATs) instead," Malwarebytes' Jérôme Segura  said  in a Thursday report. "Such programs give an attacker full control of a victim's machine and the ability to drop additional malware." It's worth noting that the activity, codenamed  FakeAPP , is a continuation of a  prior attack wave  that targeted Hong Kong users searching for messaging apps like WhatsApp and Telegram on search engines in late October 2023. The latest iteration of the campaign also adds messaging app LINE to the list of messaging apps, redirecting users to bogus websites hosted on Google Docs or Google Sites. The Google infrastructure is used to embed link
Carderbee Attacks: Hong Kong Organizations Targeted via Malicious Software Updates

Carderbee Attacks: Hong Kong Organizations Targeted via Malicious Software Updates

Aug 22, 2023 Software Supply Chain / Malware
A previously undocumented threat cluster has been linked to a software supply chain attack targeting organizations primarily located in Hong Kong and other regions in Asia. The Symantec Threat Hunter Team, part of Broadcom, is tracking the activity under its insect-themed moniker Carderbee. The attacks, per the cybersecurity firm, leverage a trojanized version of a legitimate software called EsafeNet Cobra DocGuard Client to deliver a known backdoor known as  PlugX  (aka Korplug) on victim networks. "In the course of this attack, the attackers used malware signed with a legitimate Microsoft certificate," the company  said  in a report shared with The Hacker News. The use of Cobra DocGuard Client to pull off a supply chain attack was previously highlighted by ESET in its quarterly APT Activity Report this year, detailing a September 2022 intrusion in which an unnamed gambling company in Hong Kong was compromised via a malicious update pushed by the software. The compan
Pakistani Entities Targeted in Sophisticated Attack Deploying ShadowPad Malware

Pakistani Entities Targeted in Sophisticated Attack Deploying ShadowPad Malware

Jul 18, 2023 Malware / Cyber Attack
An unidentified threat actor compromised an application used by multiple entities in Pakistan to deliver  ShadowPad , a successor to the PlugX backdoor that's commonly associated with  Chinese hacking crews . Targets included a Pakistan government entity, a public sector bank, and a telecommunications provider, according to Trend Micro. The infections took place between mid-February 2022 and September 2022. The cybersecurity company said the incident could be the result of a supply-chain attack, in which a legitimate piece of software used by targets of interest is trojanized to deploy malware capable of gathering sensitive information from compromised systems. The attack chain takes the form of a malicious installer for  E-Office , an application developed by the National Information Technology Board (NITB) of Pakistan to help government departments go paperless. It's currently not clear how the backdoored E-Office installer was delivered to the targets. That said, there&
Chinese Hackers Use HTML Smuggling to Infiltrate European Ministries with PlugX

Chinese Hackers Use HTML Smuggling to Infiltrate European Ministries with PlugX

Jul 03, 2023 Malware Attack / Cyberespionage
A Chinese nation-state group has been observed targeting Foreign Affairs ministries and embassies in Europe using  HTML smuggling techniques  to deliver the PlugX remote access trojan on compromised systems. Cybersecurity firm Check Point said the activity, dubbed  SmugX , has been ongoing since at least December 2022, adding it's part of a broader trend of Chinese adversaries shifting their focus to Europe. "The campaign uses new delivery methods to deploy (most notably – HTML Smuggling) a new variant of PlugX, an implant commonly associated with a wide variety of Chinese threat actors," Check Point  said . "Although the payload itself remains similar to the one found in older PlugX variants, its delivery methods result in low detection rates, which until recently helped the campaign fly under the radar." The exact identity of the threat actor behind the operation is a little hazy, although existing clues point in the direction of  Mustang Panda , which a
Hackers Exploiting Remote Desktop Software Flaws to Deploy PlugX Malware

Hackers Exploiting Remote Desktop Software Flaws to Deploy PlugX Malware

Mar 09, 2023 Threat Intelligence / Malware
Security vulnerabilities in remote desktop programs such as Sunlogin and AweSun are being exploited by threat actors to deploy the PlugX malware. AhnLab Security Emergency Response Center (ASEC), in a  new analysis , said it marks the continued abuse of the flaws to deliver a variety of payloads on compromised systems. This  includes  the Sliver post-exploitation framework, XMRig cryptocurrency miner, Gh0st RAT, and Paradise ransomware . PlugX is the latest addition to this list. The  modular malware  has been extensively put to use by threat actors based in China, with new features continuously added to help perform system control and information theft. In the attacks observed by ASEC, successful exploitation of the flaws is followed by the execution of a PowerShell command that retrieves an executable and a DLL file from a remote server. This executable is a legitimate HTTP Server Service from cybersecurity company ESET, which is used to load the DLL file by means of a techni
PlugX Trojan Disguised as Legitimate Windows Debugger Tool in Latest Attacks

PlugX Trojan Disguised as Legitimate Windows Debugger Tool in Latest Attacks

Feb 27, 2023 Malware / Cyber Attack
The  PlugX  remote access trojan has been observed masquerading as an open source Windows debugger tool called x64dbg in an attempt to circumvent security protections and gain control of a target system. "This file is a legitimate open-source debugger tool for Windows that is generally used to examine kernel-mode and user-mode code, crash dumps, or CPU registers," Trend Micro researchers Buddy Tancio, Jed Valderama, and Catherine Loveria  said  in a report published last week. PlugX, also known as  Korplug , is a post-exploitation  modular implant , which, among other things, is known for its multiple functionalities such as data exfiltration and its ability to use the compromised machine for nefarious purposes. Although first documented a decade ago in 2012, early samples of the malware date as far as February 2008, according to a  Trend Micro report  at the time. Over the years, PlugX has been used by threat actors with a Chinese nexus as well as cybercrime groups. On
Researchers Discover New PlugX Malware Variant Spreading via Removable USB Devices

Researchers Discover New PlugX Malware Variant Spreading via Removable USB Devices

Jan 27, 2023 Endpoint Security / Malware
Cybersecurity researchers have uncovered a PlugX sample that employs sneaky methods to infect attached removable USB media devices in order to propagate the malware to additional systems. "This PlugX variant is wormable and infects USB devices in such a way that it conceals itself from the Windows operating file system," Palo Alto Networks Unit 42 researchers Mike Harbison and Jen Miller-Osborn  said . "A user would not know their USB device is infected or possibly used to exfiltrate data out of their networks." The cybersecurity company said it uncovered the artifact during an incident response effort following a Black Basta ransomware attack against an unnamed victim. Among other tools discovered in the compromised environment include the  Gootkit  malware loader and the  Brute Ratel C4  red team framework. The use of Brute Ratel by the Black Basta group was previously  highlighted  by Trend Micro in October 2022, with the software delivered as a second-stage
Chinese Hackers Target Government Officials in Europe, South America, and Middle East

Chinese Hackers Target Government Officials in Europe, South America, and Middle East

Sep 08, 2022
A Chinese hacking group has been attributed to a new campaign aimed at infecting government officials in Europe, the Middle East, and South America with a modular malware known as PlugX. Cybersecurity firm Secureworks said it identified the intrusions in June and July 2022, once again demonstrating the adversary's continued focus on espionage against governments around the world. "PlugX is modular malware that contacts a command and control (C2) server for tasking and can download additional plugins to enhance its capability beyond basic information gathering," Secureworks Counter Threat Unit (CTU) said in a report shared with The Hacker News. Bronze President is a China-based threat actor active since at least July 2018 and is likely estimated to be a state-sponsored group that leverages a mix of proprietary and publicly available tools to compromise and collect data from its targets. It's also publicly documented under other names such as HoneyMyte, Mustang P
Chinese Hackers Caught Exploiting Popular Antivirus Products to Target Telecom Sector

Chinese Hackers Caught Exploiting Popular Antivirus Products to Target Telecom Sector

May 03, 2022
A Chinese-aligned cyberespionage group has been observed striking the telecommunication sector in Central Asia with versions of malware such as ShadowPad and PlugX. Cybersecurity firm SentinelOne tied the intrusions to an actor it tracks under the name "Moshen Dragon," with tactical overlaps between the collective and another threat group referred to as Nomad Panda (aka  RedFoxtrot ). "PlugX and ShadowPad have a well-established history of use among Chinese-speaking threat actors primarily for espionage activity," SentinelOne's Joey Chen  said . "Those tools have flexible, modular functionality and are compiled via shellcode to easily bypass traditional endpoint protection products." ShadowPad , labeled a "masterpiece of privately sold malware in Chinese espionage," emerged as a successor to PlugX in 2015, even as variants of the latter have continually popped up as part of different campaigns associated with Chinese threat actors. Alth
Chinese Hackers Targeting Russian Military Personnel with Updated PlugX Malware

Chinese Hackers Targeting Russian Military Personnel with Updated PlugX Malware

Apr 27, 2022
A China-linked government-sponsored threat actor observed striking European diplomatic entities in March may have been targeting Russian government officials with an updated version of a remote access trojan called  PlugX . Secureworks attributed the attempted intrusions to a threat actor it tracks as Bronze President, and by the wider cybersecurity community under the monikers Mustang Panda, TA416, HoneyMyte, RedDelta, and PKPLUG. "The war in Ukraine has prompted many countries to deploy their cyber capabilities to gain insight about global events, political machinations, and motivations," the cybersecurity firm  said  in a report shared with The Hacker News. "This desire for situational awareness often extends to collecting intelligence from allies and 'friends.'" Bronze President, active since at least July 2018, has a history of conducting espionage operations by leveraging custom and publicly available tools to compromise, maintain long-term access,
Expert Insights / Articles Videos
Cybersecurity Resources