PlugX
PlugX is a remote access trojan (RAT) / backdoor widely used by Chinese state-linked and PRC-based espionage actors since at least 2008–2012. Aliases in the provided content include Korplug, SOGU, Kaba, Destroyrat, Thoper, TVT, and PlugX_RAT. It is repeatedly associated with Chinese threat groups including Mustang Panda (also tracked as RedDelta, Bronze President, Stately Taurus), APT41/Winnti, PKPLUG-related activity, and other China-linked clusters.
Across the cited reporting, PlugX is commonly delivered through phishing and archive-based lures, fake browser or software updates, trojanized installers, malicious documents, and especially DLL side-loading using legitimate signed executables. Observed side-loading hosts and package patterns include G DATA Avk.exe with Avk.dll and AVKTray.dat, AvastSvc.exe with wsc.dll and AvastAuth.dat, McAfee binaries such as scncgf32.exe/vsodscpl.dll and siteadv.exe/siteadv.dll, Cisco and VLC-related binaries, RealPlayer, and other legitimate applications. The malware is also referenced in USB-worm-enabled propagation scenarios and in campaigns using staged loaders, shellcode, or downloaders such as DOWNBAIT/PULLBAIT and PUBLOAD.
Capabilities directly described in the content include remote command execution and remote shell access, file upload/download, file enumeration and deletion, process launching, process and service management, screenshot capture, keylogging, registry enumeration and editing, SQL enumeration, port mapping, configurable network protocols, plugin-based capability expansion, collection and staging of victim files for exfiltration, and exfiltration of stolen data to command-and-control servers. PlugX can query the Windows Registry and collect system information from infected hosts.
The content describes multiple persistence and execution patterns: three-component installations consisting of a benign executable, malicious DLL loader, and encoded payload; manual mapping of the final payload into memory; registry Run key persistence; service-based persistence in some related campaigns; mutex creation; and in-memory execution designed to reduce static and behavioral detection. Some reporting notes command-and-control over TCP/HTTPS on port 443, including RC4-encrypted communications and traffic crafted to resemble legitimate browser activity; defenders are advised to watch for plaintext or otherwise non-SSL traffic over port 443 in some cases.
Targeting described in the content is consistent with long-running cyber-espionage operations against governments, diplomats, law enforcement, NGOs, telecoms, think tanks, Catholic/Vatican entities, software developers, and other strategic organizations, with notable geographic focus on Asia and Southeast Asia including Mongolia, Taiwan, Myanmar, Vietnam, Cambodia, Japan, and ASEAN-affiliated entities, as well as Europe and other regions. Specific indicators mentioned in the content for PlugX-related activity include fruitbrat[.]com, dalerocks[.]com:443, 45[.]251[.]243[.]210, sg3appstore[.]net, us3appstore[.]net, bz3appstore[.]info, maildantri[.]org, link.linkipv6[.]com, 192.225.226[.]123, 192.225.226[.]217, and 45.77.173[.]124:443, along with artifacts such as Avk.exe, Avk.dll, AVKTray.dat, AvastSvc.exe, wsc.dll, AvastAuth.dat, and registry paths including HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and HKCU\Software\Classes\ms-pu\CLSID in one observed chain.
The content also notes that PlugX remains in heavy use despite ShadowPad often being described as its successor or evolution.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
15 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
At the end of the infection chain, hackers deployed a version of PlugX malware onto victim machines. PlugX is a remote access Trojan that's been a staple of Chinese nation-state hacking since 2008. | Microsoft has been aware of the flaw, tracked as CVE-2025-9491, at least since September 2024, when the Zero Day Initiative identified it as ZDI-25-148 and ZDI-CAN-25373 and notified Redmond. The vulnerability exists in how Windows processes .lnk files, which are desktop icons acting as a shortcut to another file or application.
The name comes from the tactic of delivering PlugX malware inside ZIP archive files as part of a DLL side-loading package. | Blue Coat noted the DLL side-loading technique used to launch the malicious payload via legitimate, signed applications. Their report also documented the group’s use of an exploit against software vulnerabilities in Microsoft Office. In this case, using a weaponized Word document saved as a Single File Web Page format ... in order to exploit CVE-2012-0158 to drop and execute a signed WinRAR SFX archive containing the side-loading package and PlugX payload.
"...Winnti, aka Barium and APT41... The group used the PlugX RAT and ShadowPad malware in its attacks." | Previously, Eset reported that about five APT groups has been exploiting the four Exchange vulnerabilities - CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 ... Security firm Volexity spotted hackers targeting Exchange servers on Jan. 3, when it saw CVE-2021-26855 being exploited.
Previously, Eset reported that about five APT groups has been exploiting the four Exchange vulnerabilities - CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 | "...Winnti, aka Barium and APT41... The group used the PlugX RAT and ShadowPad malware in its attacks."
Previously, Eset reported that about five APT groups has been exploiting the four Exchange vulnerabilities - CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 | "...Winnti, aka Barium and APT41... The group used the PlugX RAT and ShadowPad malware in its attacks."
"...Winnti, aka Barium and APT41... The group used the PlugX RAT and ShadowPad malware in its attacks." | Previously, Eset reported that about five APT groups has been exploiting the four Exchange vulnerabilities - CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065
"A critical remote code execution (RCE) vulnerability, identified as CVE-2025-55182 and dubbed React2Shell, exists within the React Server Components (RSC) architecture, allowing unauthenticated attackers to execute arbitrary code..."
“PlugX often used by Chinese threat actors… PlugX is a variant of the BackDoor.PlugX.38…”
In one case, we could see that this variant was deployed following exploitation of the CVE-2020-0688 vulnerability on the network of a government entity. This vulnerability, which was publicly reported in February 2020, allows an authenticated user to run commands as SYSTEM on a Microsoft Exchange server. | Avira blogged about HoneyMyte PlugX variants... PlugX has been used by multiple APT groups over the past decade...
The campaign, discovered by Orange Cyberdefense and later analyzed by Fortinet, typically began with the exploitation of CVE-2024-24919, a critical vulnerability in Check Point VPN appliances.
It appears to have started with CVE-2014-3393, a vulnerability in the Cisco Clientless SSL VPN portal... A vulnerability in the Clientless SSL VPN portal customization framework could allow an unauthenticated, remote attacker to modify the content of the Clientless SSL VPN portal... An exploit could allow the attacker to bypass Clientless SSL VPN authentication and modify the portal content.
Associated Analytic Story AgentTesla CVE-2023-21716 Word RTF Heap Corruption Compromised Windows Host FIN7 PlugX Warzone RAT
Details on Exploited Vulnerabilities ... CVE-2021-40444 Microsoft Windows ... YARA Rules ... reference = “... PrintNightmare and MSHTML exploits” ... $cve2 = “CVE-2021-40444”
Details on Exploited Vulnerabilities ... CVE-2021-1675 Microsoft Windows ... YARA Rules ... reference = “... PrintNightmare and MSHTML exploits” ... $cve1 = “CVE-2021-1675”
"Mustang Panda has exploited CVE-2017-0199 in Microsoft Word to execute code."
Groups observed using it
14 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
A well-known Chinese state-sponsored threat group called Mustang Panda has been caught running a sophisticated cyberattack campaign using its signature remote access tool, PlugX.
Using our telemetry data, we found that the threat actor also dropped PlugX and ShadowPad samples in victim environments.
Inside: captive-portal Wi-Fi Pineapples that bypass MFA, PlugX side-loading through legitimate apps, and the USB worm that jumps air-gapped military networks.
This group is also linked to the use of PlugX/Fast/Korplug/ and Winnti/Pasteboy and Shadowpad malware, with the Korplug and Winnti being prominent malware families since 2012.
The group uses a variety of TTPs including but not limited to LoTL tactics, phishing, ransomware, cryptocurrency mining, supply chain attacks, China Chopper, Gh0st RaT, PlugX, HighNoon, Derusbi, BioPass RAT, RedXOR, and ShadowPad.
The name comes from the tactic of delivering PlugX malware inside ZIP archive files as part of a DLL side-loading package.
Злоумышленники также используют и хорошо известное ВПО: PlugX, ShadowPad, Poison Ivy, модифицированный вариант PcShare и публичный шелл ReVBShell.
UNC3569 uses this malware payload installer tool to deploy the SOGU backdoor, demonstrating a willingness to leverage external resources to enhance its operational capabilities.
These revolved around a few known toolsets commonly associated with Chinese threat actors, notably the PlugX malware... PlugX is a well-known Chinese trojan used by a whole host of threat actors.
In addition to the continued use of SOGU, the current wave of intrusions has involved new tools we believe are unique to APT10.
In 2017, Proofpoint issued a report about attacks against targets in Russia and Belarus using ZeroT and PlugX.
Like other researchers, we thought this might be a PlugX-like campaign, given that the attack chain shares several characteristics with observed PlugX attacks.
Like other researchers, we thought this might be a PlugX-like campaign, given that the attack chain shares several characteristics with observed PlugX attacks.
Later that August, Symantec highlighted the activity of a new threat cluster codenamed Carderbee, which was found using a trojanized version of the program to deploy PlugX, a backdoor widely used by Chinese hacking groups like Mustang Panda.
Techniques & procedures
34 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 techniqueEarth Krahang delivers backdoors to establish access to victim machines. Cobalt Strike and two custom backdoors, RESHELL and XDealer, were employed during the initial stage of attack.
Initial Access
6 techniquesthe USB worm that jumps air-gapped military networks
It has been linked to supply chain compromises and for hacking into popular software vendors. Well known software titles with significant installation bases were compromised with malware.
The modus operandi of this group was to compromise developer workstations that had access to source code repositories and then install backdoors and other malware into legitimate software.
Considering all the malware related to PKPLUG that Unit 42 has analyzed, the use of such exploits appears to be less common than a spear-phishing technique making use of social engineering to lure victims into running their malware.
UNC6384 hackers goaded Belgian and Hungarian diplomats into unzipping archived files containing a malicious shortcut file through spear-phishing emails that used themes such as an agenda for a European Commission meeting on free trade in the Western Balkans.
Most recently, RedDelta used spearphishing links to prompt a victim to load an HTML file remotely hosted on Microsoft Azure.
Execution
4 techniquesAfter execution, the malicious shortcut file decodes a tar archive file and uses PowerShell to execute it - while also displaying a PDF decoy document.
It could... launch processes and capture their output...
In 2024, the group transitioned to using Microsoft Management Console Snap-In Control (MSC) files. | In late 2023, RedDelta evolved the first stage of its infection chain to leverage a Windows Shortcut (LNK) file likely delivered via spearphishing.
Persistence
3 techniquesIt also stored a unique client ID in the registry to identify the infected machine to the remote server.
Examples include 'adds Registry Run keys to establish persistence', 'creates a shortcut in the Startup folder', and 'RunOnce Registry key to run itself on safe mode.'
Privilege Escalation
3 techniquesIt read the encrypted payload inside AVKTray.dat, granted it execute permissions in memory, then triggered execution through a Windows threadpool callback, a method that hides the true origin of execution from security monitoring tools.
Examples include 'adds Registry Run keys to establish persistence', 'creates a shortcut in the Startup folder', and 'RunOnce Registry key to run itself on safe mode.'
Stealth
10 techniquesAvk.dll served as an intermediate loader, using a runtime hashing technique to resolve Windows APIs without exposing them through static analysis.
The group used a cleverly disguised fake browser update to trick users into downloading a multi-stage malware loader... The dropper, Browser_Updater.exe, opened a convincing fake update window styled after Adobe Acrobat... and downloaded what looked like a JPEG image but was actually a hidden MSI installer.
It read the encrypted payload inside AVKTray.dat, granted it execute permissions in memory, then triggered execution through a Windows threadpool callback, a method that hides the true origin of execution from security monitoring tools.
The payload inside AVKTray.dat passed through multiple decryption layers, including XOR followed by RC4 decryption using the key VOphJo...
The tar archive also contains a legitimate Canon printer assistant utility that hackers hijack to use as a loader to decrypt and execute yet another file containing the PlugX payload. The Canon utility is signed with a legitimate Symantec certificate...
It could... kill diagnostic tools like iediagcmd.exe to prevent an admin from spotting unusual activity.
The PlugX variant crates a hidden directory... This version of the Trojan can change the directory name with each new system launch, making the infection harder to detect.
Hidden folders within the archive contained three files used to complete dynamic-link library (DLL) search order hijacking: a legitimate binary, a malicious DLL loader, and an encrypted PlugX payload that was ultimately loaded into memory.
It read the encrypted payload inside AVKTray.dat, granted it execute permissions in memory... The payload... was manually mapped into memory without touching the disk as a normal executable.
Defense Impairment
1 techniqueDiscovery
2 techniquesLateral Movement
2 techniquesthe USB worm that jumps air-gapped military networks
the USB worm that jumps air-gapped military networks
Collection
3 techniquesPUBLOAD is equipped with features to conduct reconnaissance of the infected network and harvest files of interest (.doc, .docx, .xls, .xlsx, .pdf, .ppt, and .pptx) ... PlugX then takes care of deploying another bespoke file collector called FILESAC that can collect the victim's files.
The content repeatedly describes adversaries and malware storing collected data, command output, credentials, archives, or files in local temporary folders, working directories, hidden directories, registry locations, recycle bins, or specific files prior to exfiltration.
This activity used an infection chain that began by delivering an archive file (ZIP, RAR, or ISO), which was likely delivered via spearphishing.
Command and Control
5 techniquesBoth UNC6384 and Mustang Panda share operational characteristics including a mutual interest in breaching government agencies, overlapping command-and-control infrastructure utilization of DLL side-loading techniques and PlugX deployment, Arctic Wolf wrote.
Once installed, the payload connected to its command-and-control server at fruitbrat[.]com over port 443, using HTTPS to blend in with normal web traffic.
It could download and execute files from the C2... Plugin loader stubs in the code also allowed the attackers to push additional capabilities to infected machines whenever needed.
ShadowPad This backdoor RAT, reported by Kaspersky in 2017... It is considered to be an evolution of PlugX, both of which originated from China and are used by Chinese APTs (APT41 in particular).
Unlike the last cluster however, this variant appears to have been used in an extensive DDNS cluster of infrastructure dating back to at least 2013... that campaign appeared to have slightly different tactics, techniques, and procedures (TTPs), including potentially target-themed domain infrastructure as well as heavily relying on dynamic DNS for C2 domains.
Other
1 techniqueIOCs tracked for this family
520 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
200 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
PlugX is a remote access implant used by Mustang Panda. In this campaign it was delivered through a multi-stage loader chain using DLL sideloading, decrypted from AVKTray.dat, manually mapped into memory, persisted via the Windows Run key, and communicated with a C2 server over HTTPS while mimicking Microsoft Edge traffic. It supports downloading and executing files, launching processes and capturing output, uploading and downloading file chunks, enumerating and deleting files, killing diagnostic tools, and loading additional plugins.
A remote access trojan used via DLL side-loading through legitimate applications to provide covert access on victim systems.
A malware family referenced for technical overlap and possible actor linkage; the content suggests actors associated with PlugX may be experimenting with Beagle.
The group uses a variety of TTPs including but not limited to LoTL tactics, phishing, ransomware, cryptocurrency mining, supply chain attacks, China Chopper, Gh0st RaT, PlugX, HighNoon, Derusbi, BioPass RAT, RedXOR, and ShadowPad.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.