PlugX
PlugX is a long-running modular remote access Trojan/backdoor family observed in intrusions since at least 2008. It is also tracked under aliases including Destroy RAT, Kaba, Korplug, Sogu, SoguSec, Thoper, TVT, and TIGERPLUG. The malware is widely associated with China-linked espionage activity and has been notably tied to Mustang Panda/TA416/RedDelta, though reporting also notes use by multiple operators and possible wider availability of its code. PlugX has appeared in campaigns targeting government, diplomatic, military, aerospace, telecommunications, software and services, IT services, manufacturing, construction, insurance, electric power, and nonprofit organizations across Asia, Europe, Russia, Belarus, and elsewhere.
High-confidence capabilities described in the source material include command-and-control communications, machine and system information gathering, screen capture, keylogging, file operations, shell/command execution, service and process management, file upload/download, and proxying. PlugX can be configured to use HTTP for C2, and some reporting describes RC4-encrypted and compressed communications. It can establish persistence by installing itself as a Windows service, and it includes functionality to change service configurations as well as start, control, and delete services. It also modifies folder attributes to hide artifacts from users.
A recurring execution pattern is DLL sideloading/search-order hijacking using legitimate signed executables and malicious loader DLLs, often with encrypted payload files stored alongside them. Multiple reports describe PlugX loaders decrypting payloads and injecting them into processes such as svchost.exe. Delivery and staging methods mentioned in the content include spear-phishing attachments, RAR/ZIP archives, CHM droppers, Dropbox-hosted payloads, USB propagation via LNK files, and removable-drive worms. One report specifically describes a PlugX USB worm creating a hidden RECYCLE.BIN folder on USB drives to store malicious executables and collected data.
Examples in the content include TA416/Mustang Panda campaigns using Adobe or PotPlayer-related sideloading chains; Unit 42 reporting on CL-STA-0048 using Acrobat.exe, Acrobat.dll, and Acrobat.dxe with C2 mail.tttseo[.]com; Proofpoint reporting a Golang PlugX loader using hex.dll to decrypt adobeupdate.dat and beacon to 45.248.87[.]162; older ZeroT activity delivering PlugX and creating a service for startup persistence; and a stage-2 PlugX sample beaconing to www[.]icefirebest[.]com and www[.]icekkk[.]net. Additional infrastructure and indicators directly mentioned include h5.nasa6[.]com, 92.118.188[.]78:187, and domains such as www.dicemention[.]com and www.micrnet[.]net linked to prior PlugX activity.
The content also notes PlugX use alongside other malware families and tooling including ShadowPad, Poison Ivy, FFRAT, Scieron, Cobalt Strike, SoftEther VPN, Stowaway, and NailaoLocker-related activity. Several reports compare PlugX code or loader behavior with other malware families such as RedLeaves, and one notes similarities between ShadowPad and PlugX.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
15 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
In May 2024, CVE-2024-24919, an information disclosure vulnerability in Check Point Quantum Security Gateways was exploited in the wild and tied to NailaoLocker ransomware (distributed via ShadowPad and PlugX backdoors, as documented by Orange Cyberdefense CERT).
attackers opportunistically used spear-phishing emails with a Microsoft Word attachment exploiting the recently patched CVE-2017-0199 to deploy the ZeroT Trojan... In this campaign, attackers used a Microsoft Word document called 0721.doc, which exploits CVE-2017-0199. This vulnerability was disclosed and patched days prior to this attack.
In previous campaigns, the group used spear-phishing emails with Microsoft Word document attachments utilizing CVE-2012-0158... Attackers also continued to send spear-phishing emails with Microsoft Word attachments utilizing CVE-2012-0158 to exploit the client.
At the end of the infection chain, hackers deployed a version of PlugX malware onto victim machines. PlugX is a remote access Trojan that's been a staple of Chinese nation-state hacking since 2008. | Microsoft has been aware of the flaw, tracked as CVE-2025-9491, at least since September 2024, when the Zero Day Initiative identified it as ZDI-25-148 and ZDI-CAN-25373 and notified Redmond. The vulnerability exists in how Windows processes .lnk files, which are desktop icons acting as a shortcut to another file or application.
"...Winnti, aka Barium and APT41... The group used the PlugX RAT and ShadowPad malware in its attacks." | Previously, Eset reported that about five APT groups has been exploiting the four Exchange vulnerabilities - CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 ... Security firm Volexity spotted hackers targeting Exchange servers on Jan. 3, when it saw CVE-2021-26855 being exploited.
Previously, Eset reported that about five APT groups has been exploiting the four Exchange vulnerabilities - CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 | "...Winnti, aka Barium and APT41... The group used the PlugX RAT and ShadowPad malware in its attacks."
Previously, Eset reported that about five APT groups has been exploiting the four Exchange vulnerabilities - CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 | "...Winnti, aka Barium and APT41... The group used the PlugX RAT and ShadowPad malware in its attacks."
"...Winnti, aka Barium and APT41... The group used the PlugX RAT and ShadowPad malware in its attacks." | Previously, Eset reported that about five APT groups has been exploiting the four Exchange vulnerabilities - CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065
"A critical remote code execution (RCE) vulnerability, identified as CVE-2025-55182 and dubbed React2Shell, exists within the React Server Components (RSC) architecture, allowing unauthenticated attackers to execute arbitrary code..."
“PlugX often used by Chinese threat actors… PlugX is a variant of the BackDoor.PlugX.38…”
In one case, we could see that this variant was deployed following exploitation of the CVE-2020-0688 vulnerability on the network of a government entity. This vulnerability, which was publicly reported in February 2020, allows an authenticated user to run commands as SYSTEM on a Microsoft Exchange server. | Avira blogged about HoneyMyte PlugX variants... PlugX has been used by multiple APT groups over the past decade...
It appears to have started with CVE-2014-3393, a vulnerability in the Cisco Clientless SSL VPN portal... A vulnerability in the Clientless SSL VPN portal customization framework could allow an unauthenticated, remote attacker to modify the content of the Clientless SSL VPN portal... An exploit could allow the attacker to bypass Clientless SSL VPN authentication and modify the portal content.
Associated Analytic Story AgentTesla CVE-2023-21716 Word RTF Heap Corruption Compromised Windows Host FIN7 PlugX Warzone RAT
Details on Exploited Vulnerabilities ... CVE-2021-40444 Microsoft Windows ... YARA Rules ... reference = “... PrintNightmare and MSHTML exploits” ... $cve2 = “CVE-2021-40444”
Details on Exploited Vulnerabilities ... CVE-2021-1675 Microsoft Windows ... YARA Rules ... reference = “... PrintNightmare and MSHTML exploits” ... $cve1 = “CVE-2021-1675”
Groups observed using it
27 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Symantec confirmed that RA World was used by China-based threat actors in attacks targeting software and services companies, and the link between the two groups was revealed when analysis showed that the PlugX used in the attacks had the same timestamp as that previously used by Mustang Panda.
The initial and primary backdoor the threat actor used in this attack was the PlugX backdoor. PlugX is a well-known remote access tool (RAT) with modular plugins and customizable settings that has been popular for over a decade, primarily among Chinese-speaking threat groups.
The stage 2 payload was PlugX that beaconed to C&C servers www[.]icefirebest[.]com and www[.]icekkk[.]net.
Moshen Dragon deployed five different malware triads in an attempt to use DLL search order hijacking to sideload ShadowPad and PlugX variants.
Using our telemetry data, we found that the threat actor also dropped PlugX and ShadowPad samples in victim environments.
Inside: captive-portal Wi-Fi Pineapples that bypass MFA, PlugX side-loading through legitimate apps, and the USB worm that jumps air-gapped military networks.
Techniques & procedures
34 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
2 techniques
Resource Development
Initial Access
2 techniques
Initial Access
In multiple infections throughout the year, USB devices containing LNK files were likely used for initial access
the group used spear-phishing emails with Microsoft Word document attachments utilizing CVE-2012-0158, or URLs linking to RAR-compressed executables... added Microsoft Compiled HTML Help (.chm) as one of the initial droppers delivered in spear-phishing emails.
Execution
7 techniques
Execution
Upon execution, some of the payloads will achieve persistence by either creating a scheduled task or a service.
The new version included: Two hardcoded dates for latest write time used to filter over files within a specified directory. A minimum and maximum file size to filter over files within a specified directory.
Bundling decoy documents is a common tactic by this group. RAR SFX directives are used to display the decoy while the malicious payload is executed.
In multiple infections throughout the year, USB devices containing LNK files were likely used for initial access, resulting in a registry artifact of execution similar to \SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{[redacted_GUID]}\Count\Q:\Erzbinoyr Qvfx(3TO).yax
When the legitimate application is executed, it loads the loader located in the same folder through DLL Hijacking (DLL preloading).
Persistence
4 techniques
Persistence
Upon execution, some of the payloads will achieve persistence by either creating a scheduled task or a service.
During the 2016 Ukraine Electric Power Attack, Sandworm Team used an arbitrary system service to load at system boot for persistence for Industroyer. They also replaced the ImagePath registry value of a Windows service with a new backdoor binary.
Privilege Escalation
5 techniques
Privilege Escalation
Upon execution, some of the payloads will achieve persistence by either creating a scheduled task or a service.
Appendix A... Injection: 1 Inject Process: %windir%\explorer.exe ... %windir%\system32\svchost.exe ... Appendix B... Inject Process: %windir%\system32\svchost.exe
During the 2016 Ukraine Electric Power Attack, Sandworm Team used an arbitrary system service to load at system boot for persistence for Industroyer. They also replaced the ImagePath registry value of a Windows service with a new backdoor binary.
Stealth
12 techniques
Stealth
This executable is obfuscated... dummy API calls inserted in between real instructions... the PE header of ZeroT has been tampered with, specifically the “MZ” and “PE” constants
stage 2 payloads are still retrieved as Bitmap (BMP) images that use Least Significant Bit (LSB) Steganography to hide the real payloads
One of the main ways it does this is by resolving API functions during runtime... This iteration of PlugX does standard API hashing, but only to resolve the address of the functions GetProcAddress as well as LoadLibrary.
A legitimate application (EXE file): a signed, executable file which reads a DLL file located in the same folder
Appendix A... Injection: 1 Inject Process: %windir%\explorer.exe ... %windir%\system32\svchost.exe ... Appendix B... Inject Process: %windir%\system32\svchost.exe
this is done using RC4 and RtlDecompressBuffer... decrypts them using the MD5 hash of a command line argument as the RC4 key... and decompresses it with LZNT1 via the RtlDecompressBuffer API
This sample further implements anti-analysis techniques via the malware’s design... After every iteration of the state machine, the malware sample will modify the state with a XOR operation. This makes it difficult to analyze.
Additionally, it looks to obfuscate its activities by performing actions like modifying the characteristics of folders to hide them.
Agent Tesla has created hidden folders. AppleJeus has added a leading . to plist filenames, unlisting them from the Finder app and default Terminal directory listings. APT28 has saved files with hidden file attributes. FIN13 has created hidden files and folders within a compromised Linux system /tmp directory and also used attrib.exe to hide gathered local host information.
When the legitimate application is executed, it loads the loader located in the same folder through DLL Hijacking (DLL preloading).
Credential Access
1 technique
Credential Access
Discovery
3 techniques
Discovery
It calls back to a command and control (C2) server, gathers machine information, performs screen captures, and manages services and processes.
The content repeatedly describes malware and threat actors listing files and directories, enumerating drives, searching for files by extension/name/path, retrieving file metadata, and browsing file systems (for example: "APT28 has used Forfiles to locate PDF, Excel, and Word documents during collection" and "cmd can be used to find files and directories with native functionality such as dir commands").
Lateral Movement
1 technique
Lateral Movement
Collection
5 techniques
Collection
PlugX... Malware family capable of a range of behaviors, including DLL side-loading, capturing the screen, and keylogging.
The other directory, which has a random name, contains the victim’s exfiltrated files.
It calls back to a command and control (C2) server, gathers machine information, performs screen captures, and manages services and processes.
Examples in the content include malware extracting or unpacking ZIP, RAR, CAB, tar.gz, and other archived content, such as 'Emotet has used a self-extracting RAR file to deliver modules to victims' and 'Rocke has extracted tar.gz files after downloading them from a C2 server.'
Command and Control
4 techniques
Command and Control
It calls back to a command and control (C2) server, gathers machine information, performs screen captures, and manages services and processes.
The content repeatedly describes threat actors and malware using HTTP and HTTPS for command and control, such as: "Sandworm Team used BlackEnergy to communicate between compromised hosts and their command-and-control servers via HTTP post requests."
IOCs tracked for this family
655 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
200 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A remote access trojan mentioned as an additional payload delivered in campaigns involving 9002 RAT and linked in prior operations alongside Trochilus-related activity.
A backdoor referenced as part of malware distribution associated with ransomware activity.
A malware family repeatedly used across Chinese state-sponsored campaigns; cited here as a shared tool that complicates attribution because multiple groups reuse it.
Remote access trojan delivered via a multi-stage chain using a malicious LNK, PowerShell loader, DLL sideloading, encrypted shellcode, API hashing, and in-memory execution. The final payload establishes persistent access and communicates with C2 over HTTPS.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.