PlugX is a remote access tool (RAT) that uses modular plugins. [1] It has been used by multiple threat groups. [2] [3] [4]

ID: S0013
Aliases: PlugX, Sogu, Kaba, Korplug
Platforms: Windows

Version: 1.0

Alias Descriptions

PlugX[1] [2]
Sogu[1] [2]

Techniques Used

EnterpriseT1059Command-Line InterfacePlugX allows actors to spawn a reverse shell on a victim.[4]
EnterpriseT1043Commonly Used PortPlugX has beaconed to its C2 over port 443.[5]
EnterpriseT1094Custom Command and Control ProtocolPlugX can be configured to use raw TCP or UDP for command and control.[4]
EnterpriseT1073DLL Side-LoadingPlugX has used to use DLL side-loading to evade anti-virus and to maintain persistence on a victim.[2][4][6][5][7]
EnterpriseT1106Execution through APIPlugX can use the Windows API function CreateProcess to execute another process.[1]
EnterpriseT1036MasqueradingIn one instance, menuPass added PlugX as a service with a display name of "Corel Writing Tools Utility."[8]
EnterpriseT1026Multiband CommunicationPlugX can be configured to use multiple network protocols to avoid network-based detection.[4]
EnterpriseT1050New ServicePlugX can be added as a service to establish persistence.[1][5][8][9]
EnterpriseT1012Query RegistryPlugX can query for information contained within the Windows Registry.[1]
EnterpriseT1060Registry Run Keys / Startup FolderPlugX can add a Run key entry in the Registry to establish persistence.[1][5]
EnterpriseT1071Standard Application Layer ProtocolPlugX can be configured to use HTTP or DNS for command and control.[4]
EnterpriseT1095Standard Non-Application Layer ProtocolPlugX can be configured to use raw TCP or UDP for command and control.[4]
EnterpriseT1127Trusted Developer UtilitiesA version of PlugX loads as shellcode within a .NET Framework project using msbuild.exe, presumably to bypass application whitelisting techniques.[7]
EnterpriseT1102Web ServicePlugX uses Pastebin to store its real C2 addresses.[7]


Groups that use this software:

Threat Group-3390