KEYPLUG is a modular backdoor written in C++, with Windows and Linux variants, that has been used by APT41 since at least June 2021.[1]

ID: S1051
Associated Software: KEYPLUG.LINUX
Platforms: Linux, Windows
Version: 1.0
Created: 12 December 2022
Last Modified: 12 December 2022

Associated Software Descriptions

Name Description


Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

KEYPLUG has the ability to communicate over HTTP and WebSocket Protocol (WSS) for C2.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

KEYPLUG can decode its configuration file to determine C2 protocols.[1]

Enterprise T1573 .002 Encrypted Channel: Asymmetric Cryptography

KEYPLUG can use TLS-encrypted WebSocket Protocol (WSS) for C2.[1]

Enterprise T1095 Non-Application Layer Protocol

KEYPLUG can use TCP and KCP (KERN Communications Protocol) over UDP for C2 communication.[1]

Enterprise T1027 Obfuscated Files or Information

KEYPLUG can use a hardcoded one-byte XOR encoded configuration file.[1]

Enterprise T1090 Proxy

KEYPLUG has used Cloudflare CDN associated infrastructure to redirect C2 communications to malicious domains.[1]

Enterprise T1124 System Time Discovery

KEYPLUG can obtain the current tick count of an infected computer.[1]

Enterprise T1102 .001 Web Service: Dead Drop Resolver

The KEYPLUG Windows variant has retrieved C2 addresses from encoded data in posts on tech community forums.[1]

Groups That Use This Software

ID Name References
G0096 APT41



ID Name Description
C0017 C0017