PlugX is a remote access tool (RAT) that uses modular plugins. It has been used by multiple threat groups. [1] [2] [3] [4]

ID: S0013
Associated Software: DestroyRAT, Sogu, Kaba, Korplug
Platforms: Windows
Version: 2.1
Created: 31 May 2017
Last Modified: 20 June 2020

Associated Software Descriptions

Name Description



[1] [2][5]





Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

PlugX can be configured to use HTTP for command and control.[4]

.004 Application Layer Protocol: DNS

PlugX can be configured to use DNS for command and control.[4]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

PlugX adds Run key entries in the Registry to establish persistence.[1][6][5]

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

PlugX allows actors to spawn a reverse shell on a victim.[4][5]

Enterprise T1543 .003 Create or Modify System Process: Windows Service

PlugX can be added as a service to establish persistence. PlugX also has a module to change service configurations as well as start, control, and delete services.[5][1][6][7][8]

Enterprise T1140 Deobfuscate/Decode Files or Information

PlugX decompresses and decrypts itself using the Microsoft API call RtlDecompressBuffer.[5]

Enterprise T1083 File and Directory Discovery

PlugX has a module to enumerate drives and find files recursively.[5]

Enterprise T1574 .002 Hijack Execution Flow: DLL Side-Loading

PlugX has used DLL side-loading to evade anti-virus.[2][4][9][6][10]

Enterprise T1105 Ingress Tool Transfer

PlugX has a module to download and execute files on the compromised machine.[5]

Enterprise T1056 .001 Input Capture: Keylogging

PlugX has a module for capturing keystrokes per process including window titles.[5]

Enterprise T1036 .004 Masquerading: Masquerade Task or Service

In one instance, menuPass added PlugX as a service with a display name of "Corel Writing Tools Utility."[7]

Enterprise T1112 Modify Registry

PlugX has a module to create, delete, or modify Registry keys.[5]

Enterprise T1106 Native API

PlugX can use the Windows API function CreateProcess to execute another process.[1]

Enterprise T1135 Network Share Discovery

PlugX has a module to enumerate network shares.[5]

Enterprise T1095 Non-Application Layer Protocol

PlugX can be configured to use raw TCP or UDP for command and control.[4]

Enterprise T1057 Process Discovery

PlugX has a module to list the processes running on a machine.[5]

Enterprise T1012 Query Registry

PlugX can enumerate and query for information contained within the Windows Registry.[1][5]

Enterprise T1113 Screen Capture

PlugX allows the operator to capture screenshots.[5]

Enterprise T1049 System Network Connections Discovery

PlugX has a module for enumerating TCP and UDP network connections and associated processes using the netstat command.[5]

Enterprise T1127 .001 Trusted Developer Utilities Proxy Execution: MSBuild

A version of PlugX loads as shellcode within a .NET Framework project using msbuild.exe, presumably to bypass application control techniques.[10]

Enterprise T1497 .001 Virtualization/Sandbox Evasion: System Checks

PlugX checks if VMware tools is running in the background by searching for any process named "vmtoolsd". [11]

Enterprise T1102 .001 Web Service: Dead Drop Resolver

PlugX uses Pastebin to store C2 addresses.[10]

Groups That Use This Software

ID Name References
G0022 APT3


G0027 Threat Group-3390


G0017 DragonOK


G0045 menuPass


G0062 TA459




G0096 APT41


G0126 Higaisa


G0129 Mustang Panda