1. Home
  2. Software
  3. PlugX

PlugX

PlugX is a remote access tool (RAT) with modular plugins that has been used by multiple threat groups.[1][2][3][4]

ID: S0013
Associated Software: Thoper, TVT, DestroyRAT, Sogu, Kaba, Korplug
Type: MALWARE
Platforms: Windows
Version: 3.2
Created: 31 May 2017
Last Modified: 11 September 2025
Version Permalink

Associated Software Descriptions

Name Description
Thoper

[5]
TVT

[5]
DestroyRAT

[6]
Sogu

[1][2][6]
Kaba

[2]
Korplug

[1][6]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

PlugX can be configured to use HTTP for command and control.[7][4][8][9] PlugX has also used HTTPS for C2.[10]
.004 Application Layer Protocol: DNS

PlugX can be configured to use DNS for command and control.[4]
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

PlugX adds Run key entries in the Registry to establish persistence.[7][6][11][8][12][13][1] PlugX has established persistence via the registry keys HKCU\Software\Microsoft\Windows\CurrentVersion\Run and HKLM\Software\Microsoft\Windows\CurrentVersion\Run.[7]
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

PlugX allows actors to spawn a reverse shell on a victim.[7][6][4][8][10][14]
Enterprise T1543 .003 Create or Modify System Process: Windows Service

PlugX can be added as a service to establish persistence. PlugX also has a module to change service configurations as well as start, control, and delete services.[6][1][12][15][16]
Enterprise T1074 .001 Data Staged: Local Data Staging

PlugX has collected and staged the victim’s computer files for exfiltration.[11]
Enterprise T1622 Debugger Evasion

PlugX has made calls to Windows API CheckRemoteDebuggerPresent and exits if it detects a debugger.[13]
Enterprise T1140 Deobfuscate/Decode Files or Information

PlugX decompresses and decrypts itself using the Microsoft API call RtlDecompressBuffer.[6][17][9] PlugX has also decrypted its payloads in memory.[7][18][8][13]
Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

PlugX can use RC4 encryption in C2 communications.[7][9]
Enterprise T1480 .002 Execution Guardrails: Mutual Exclusion

PlugX has leveraged a mutex in its infection process.[7][13]
Enterprise T1041 Exfiltration Over C2 Channel

PlugX has exfiltrated stolen data and files to its C2 server.[11][14]
Enterprise T1083 File and Directory Discovery

PlugX has a module to enumerate drives and find files recursively.[7][18][6][9] PlugX has also checked the path from which it is running for specific parameters prior to execution. [7][11][13]
Enterprise T1564 .001 Hide Artifacts: Hidden Files and Directories

PlugX can modify the characteristics of folders to hide them from the compromised user.[9] PlugX has also modified file attributes to hidden and system.[7][13]
.003 Hide Artifacts: Hidden Window

PlugX has the ability to execute a command on a hidden desktop.[7]
Enterprise T1574 .001 Hijack Execution Flow: DLL

PlugX has the ability to use DLL search order hijacking for installation on targeted systems.[9][14] PlugX has also used DLL side-loading to evade anti-virus.[2][4][19][12][20][17][21] PlugX has also used a legitimately signed executable to side-load a malicious payload within a DLL file.[7][18][8][14][13]
Enterprise T1562 .004 Impair Defenses: Disable or Modify System Firewall

PlugX has modified local firewall rules on victim machines to enable a random, high-number listening port for subsequent access and C2 activity.[22]
Enterprise T1070 .004 Indicator Removal: File Deletion

PlugX has the remove itself and other artifacts.[7][11]
.009 Indicator Removal: Clear Persistence

PlugX has deleted registry keys that store data and maintained persistence.[7]
Enterprise T1105 Ingress Tool Transfer

PlugX has a module to download and execute files on the compromised machine.[6][11][10][9]
Enterprise T1056 .001 Input Capture: Keylogging

PlugX has a module for capturing keystrokes per process including window titles.[6]
Enterprise T1680 Local Storage Discovery

PlugX has collected a list of all mapped drives on the infected host.[7]
Enterprise T1036 .004 Masquerading: Masquerade Task or Service

In one instance, menuPass added PlugX as a service with a display name of "Corel Writing Tools Utility."[15]
.005 Masquerading: Match Legitimate Resource Name or Location

PlugX has been disguised as legitimate Adobe and PotPlayer files.[9] PlugX has also imitated legitimate software directories and file names through the creation and storage of a legitimate EXE and the malicious DLLs.[7][8][14][13]
Enterprise T1112 Modify Registry

PlugX has a module to create, delete, or modify Registry keys.[7][6][11]
Enterprise T1106 Native API

PlugX can use the Windows API functions GetProcAddress, LoadLibrary, and CreateProcess to execute another process.[7][9][1]
Enterprise T1135 Network Share Discovery

PlugX has a module to enumerate network shares.[7][6]
Enterprise T1095 Non-Application Layer Protocol

PlugX can be configured to use raw TCP or UDP for command and control.[7][4]
Enterprise T1571 Non-Standard Port

PlugX has used random, high-number, non-standard ports to listen for subsequent actions and C2 activities.[22]
Enterprise T1027 Obfuscated Files or Information

PlugX can use API hashing and modify the names of strings to evade detection.[17][9]
.001 Binary Padding

PlugX has utilized junk code and opaque predicates in payloads to hinder analysis.[7]
.007 Dynamic API Resolution

PlugX has leveraged obfuscated Windows API function calls that were concealed as unique names, or hashes of the Windows API.[7]
.013 Encrypted/Encoded File

PlugX has leveraged XOR encryption with the key of 123456789.[7]
Enterprise T1120 Peripheral Device Discovery

PlugX can identify removable media attached to compromised hosts.[11]
Enterprise T1057 Process Discovery

PlugX has a module to list the processes running on a machine.[6]
Enterprise T1012 Query Registry

PlugX can enumerate and query for information contained within the Windows Registry.[7][6][1]
Enterprise T1620 Reflective Code Loading

PlugX has loaded its payload into memory.[7][8][10][14][13]
Enterprise T1091 Replication Through Removable Media

PlugX has copied itself to infected removable drives for propagation to other victim devices.[11]
Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

PlugX has created a scheduled task to execute additional malicious software, as well as maintain persistence.[7]
Enterprise T1113 Screen Capture

PlugX allows the operator to capture screenshots.[6]
Enterprise T1082 System Information Discovery

PlugX has collected system information including OS version, processor information, RAM size, location, host name, IP, and screen size of the infected host.[7]
Enterprise T1614 System Location Discovery

PlugX has obtained the location of the victim device by leveraging GetSystemDefaultLCID.[7]
Enterprise T1016 System Network Configuration Discovery

PlugX has captured victim IP address details of the targeted machine.[7][11]
Enterprise T1049 System Network Connections Discovery

PlugX has a module for enumerating TCP and UDP network connections and associated processes using the netstat command.[6]
Enterprise T1033 System Owner/User Discovery

PlugX has the ability to gather the username from the victim’s machine.[7]
Enterprise T1124 System Time Discovery

PlugX has identified system time through its GetSystemInfo command.[7]
Enterprise T1127 .001 Trusted Developer Utilities Proxy Execution: MSBuild

A version of PlugX loads as shellcode within a .NET Framework project using msbuild.exe, presumably to bypass application control techniques.[20]
Enterprise T1204 .002 User Execution: Malicious File

PlugX has leveraged an initial executable disguised as a legitimate document to trick the target into opening it.[18][8]
Enterprise T1497 .001 Virtualization/Sandbox Evasion: System Checks

PlugX checks if VMware tools is running in the background by searching for any process named "vmtoolsd".[23]
Enterprise T1102 .001 Web Service: Dead Drop Resolver

PlugX uses Pastebin to store C2 addresses.[20]

Groups That Use This Software

ID Name References
G1047 Velvet Ant

Velvet Ant heavily relies on variants of PlugX for various phases of operations.[22]
G1034 Daggerfly

Daggerfly has used PlugX loaders as part of intrusions.[24]
G0096 APT41

APT41 used a variant of PlugX to connect to Windows and Linux systems via SSH and Samba/CIFS.[25][26]
G0022 APT3

[2]
G0126 Higaisa

[27]
G0027 Threat Group-3390

[4][28][29][17][21]
G1021 Cinnamon Tempest

[30]
G0093 GALLIUM

[31]
G0001 Axiom

[32][5]
G0045 menuPass

[12][15][33]
G0062 TA459

[34]
G1014 LuminousMoth

[35][36]
G0017 DragonOK

[3]
G0044 Winnti Group

[37]
G0129 Mustang Panda

[7][38][39][8][40][41][42][9][14][43]

Campaigns

ID Name Description
C0047 RedDelta Modified PlugX Infection Chain Operations

Mustang Panda activities during RedDelta Modified PlugX Infection Chain Operations largely focused on ways to install a variant of PlugX on victim machines.[43]

References

  1. Vasilenko, R. (2013, December 17). An Analysis of PlugX Malware. Retrieved November 24, 2015.
  2. Scott, M.. (2014, June 10). Clandestine Fox, Part Deux. Retrieved January 14, 2016.
  3. Miller-Osborn, J., Grunzweig, J.. (2015, April). Unit 42 Identifies New DragonOK Backdoor Malware Deployed Against Japanese Targets. Retrieved November 4, 2015.
  4. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018.
  5. Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014.
  6. Computer Incident Response Center Luxembourg. (2013, March 29). Analysis of a PlugX variant. Retrieved November 5, 2018.
  7. Alexandre Cote Cyr. (2022, March 23). Mustang Panda’s Hodur: Old tricks, new Korplug variant. Retrieved September 9, 2025.
  8. EclecticIQ Threat Research Team. (2023, February 2). Mustang Panda APT Group Uses European Commission-Themed Lure to Deliver PlugX Malware. Retrieved September 9, 2025.
  9. Raggi, M. et al. (2022, March 7). The Good, the Bad, and the Web Bug: TA416 Increases Operational Tempo Against European Governments as Conflict in Ukraine Escalates. Retrieved March 16, 2022.
  10. Patrick Whitsell. (2025, August 25). Deception in Depth: PRC-Nexus Espionage Campaign Hijacks Web Traffic to Target Diplomats. Retrieved September 9, 2025.
  11. DOJ. (2024, December 20). Mag. No. 24-mj-1387 AFFIDAVIT IN SUPPORT OF AN APPLICATION FOR A NINTH SEARCH AND SEIZURE WARRANT- IN THE MATTER OF THE SEARCH AND SEIZURE OF COMPUTERS IN THE UNITED STATES INFECTED WITH PLUGX MALWARE . Retrieved September 9, 2025.
  12. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
  13. Secureworks Counter Threat Unit Research Team. (2022, September 8). BRONZE PRESIDENT Targets Government Officials. Retrieved September 9, 2025.
  14. Secureworks Counter Threat Unit Research Team. (2022, April 27). BRONZE PRESIDENT Targets Russian Speakers with Updated PlugX. Retrieved September 9, 2025.
  15. FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017.
  16. Huss, D., et al. (2017, February 2). Oops, they did it again: APT Targets Russia and Belarus with ZeroT and PlugX. Retrieved April 5, 2018.
  17. Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.
  18. Asheer Malhotra, Jungsoo An, Kendall Mc. (2022, May 5). Mustang Panda deploys a new wave of malware targeting Europe. Retrieved August 4, 2025.
  19. Stewart, A. (2014). DLL SIDE-LOADING: A Thorn in the Side of the Anti-Virus Industry. Retrieved November 12, 2014.
  20. Lancaster, T. and Idrizovic, E.. (2017, June 27). Paranoid PlugX. Retrieved July 13, 2017.
  21. Global Threat Center, Intelligence Team. (2020, December). APT27 Turns to Ransomware. Retrieved November 12, 2021.
  22. Sygnia Team. (2024, June 3). China-Nexus Threat Group ‘Velvet Ant’ Abuses F5 Load Balancers for Persistence. Retrieved March 14, 2025.
  1. Lancaster, T., Idrizovic, E. (2017, June 27). Paranoid PlugX. Retrieved April 19, 2019.
  2. Threat Hunter Team. (2023, April 20). Daggerfly: APT Actor Targets Telecoms Company in Africa. Retrieved July 25, 2024.
  3. Mandiant. (n.d.). APT41, A DUAL ESPIONAGE AND CYBER CRIME OPERATION. Retrieved June 11, 2024.
  4. Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.
  5. Malwarebytes Threat Intelligence Team. (2020, June 4). New LNK attack tied to Higaisa APT discovered. Retrieved March 2, 2021.
  6. Counter Threat Unit Research Team. (2017, June 27). BRONZE UNION Cyberespionage Persists Despite Disclosures. Retrieved July 13, 2017.
  7. Pantazopoulos, N., Henry T. (2018, May 18). Emissary Panda – A potential new malicious tool. Retrieved June 25, 2018.
  8. SecureWorks. (n.d.). BRONZE STARLIGHT. Retrieved December 6, 2023.
  9. Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019.
  10. Esler, J., Lee, M., and Williams, C. (2014, October 14). Threat Spotlight: Group 72. Retrieved January 14, 2016.
  11. United States District Court Southern District of New York (USDC SDNY) . (2018, December 17). United States of America v. Zhu Hua and Zhang Shilong. Retrieved April 17, 2019.
  12. Axel F. (2017, April 27). APT Targets Financial Analysts with CVE-2017-0199. Retrieved February 15, 2018.
  13. Lechtik, M, and etl. (2021, July 14). LuminousMoth APT: Sweeping attacks for the chosen few. Retrieved October 20, 2022.
  14. Botezatu, B and etl. (2021, July 21). LuminousMoth - PlugX, File Exfiltration and Persistence Revisited. Retrieved October 20, 2022.
  15. Kaspersky Lab's Global Research and Analysis Team. (2013, April 11). Winnti. More than just a game. Retrieved February 8, 2017.
  16. Anomali Threat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021.
  17. Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021.
  18. Hamzeloofard, S. (2020, January 31). New wave of PlugX targets Hong Kong | Avira Blog. Retrieved April 13, 2021.
  19. Insikt Group. (2020, July 28). CHINESE STATE-SPONSORED GROUP ‘REDDELTA’ TARGETS THE VATICAN AND CATHOLIC ORGANIZATIONS. Retrieved April 13, 2021.
  20. Meyers, A. (2018, June 15). Meet CrowdStrike’s Adversary of the Month for June: MUSTANG PANDA. Retrieved April 12, 2021.
  21. Insikt Group. (2025, January 9). Chinese State-Sponsored RedDelta Targeted Taiwan, Mongolia, and Southeast Asia with Adapted PlugX Infection Chain. Retrieved January 14, 2025.