PKPLUG Linked to Chinese Espionage Campaigns Across Southeast Asia
Palo Alto Networks Unit 42 reported that the PKPLUG intrusion set conducted long-running cyber espionage operations across Asia, particularly in Southeast Asia, and assessed with high confidence that the activity is tied to Chinese nation-state adversaries. The group was described as active for at least six years and focused on targets in Myanmar, Taiwan, Vietnam, Indonesia, Mongolia, Tibet, and Xinjiang, indicating intelligence collection against politically and geopolitically sensitive organizations and communities.
The campaigns used a combination of public and custom malware, including PlugX, Poison Ivy, Zupdax, 9002, HenBox, and the previously unknown Windows backdoor Farseer, with DLL side-loading and spear-phishing repeatedly used for delivery and execution. Unit 42 said overlapping infrastructure, malware characteristics, and shared tactics connected multiple previously reported operations under the PKPLUG umbrella, while HenBox expanded the threat to Android devices—especially targeting Uyghurs and Xiaomi devices—and the researchers released a STIX 2.0 adversary playbook consolidating indicators, campaigns, and ATT&CK-mapped techniques.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Unit 42 publishes PKPLUG report and STIX playbook
Unit 42 publicly released its analysis of PKPLUG and published a PKPLUG Adversary Playbook in STIX 2.0 format. The playbook consolidated indicators, campaigns, and ATT&CK-mapped TTPs associated with the intrusion set.
Unit 42 links PKPLUG to Chinese nation-state adversaries
In its report, Unit 42 consolidated multiple previously published campaigns under the PKPLUG cluster and assessed with high confidence that the group had ties to Chinese nation-state adversaries. The report highlighted targeting in Myanmar, Taiwan, Vietnam, Indonesia, Mongolia, Tibet, and Xinjiang.
HenBox campaigns target Android devices and Uyghur victims
PKPLUG-linked activity expanded to Android through the HenBox malware, with targeting that included Uyghurs and Xiaomi devices. This indicated the group's operations extended beyond Windows systems to mobile espionage.
Unit 42 starts tracking PKPLUG activity
Unit 42 reported that it had tracked PKPLUG for three years prior to publication, observing campaigns linked by overlapping infrastructure, malware characteristics, and tactics. This tracking connected activity involving tools such as PlugX, Poison Ivy, Zupdax, 9002, HenBox, and Farseer.
PKPLUG begins cyber espionage activity across Asia
Unit 42 assessed that the PKPLUG intrusion set had been active for at least six years, conducting cyber espionage operations across Asia with a focus on Southeast Asia. The group used spear-phishing, DLL side-loading, and a mix of public and custom malware in its operations.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
1 reference tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
China-Linked Espionage Campaigns Target Regional Government and Military Interests
Security researchers reported multiple **China-linked espionage operations**, but they are not the same incident. One campaign tracked by Palo Alto Networks as **CL-STA-1087** targeted military organizations in Southeast Asia over several years, focusing on intelligence collection related to military capabilities, organizational structures, and cooperation with Western armed forces. The activity used custom malware including the **AppleChris** and **MemFun** backdoors and a **Getpass** credential harvester, alongside stable infrastructure and selective file collection consistent with long-term state-sponsored espionage. A separate report from Zscaler described a **China-nexus** intrusion set targeting entities in the Persian Gulf using conflict-themed lures to deliver **PlugX**. That attack chain relied on a ZIP archive containing a deceptive `.lnk` file, which downloaded a malicious CHM file, used `hh.exe` for extraction, displayed a decoy PDF about Iranian missile strikes, and ultimately installed a multi-stage PlugX payload. The other references are unrelated: one is a technical review of **CVE-2026-25185** in Windows shortcut handling, and another covers malicious Packagist themes shipping trojanized jQuery tied to **FUNNULL** infrastructure rather than the China-linked espionage activity described in the relevant reports.
Mar 21, 2026
Chinese Espionage Campaign CL-UNK-1068 Targeting Asian Critical Infrastructure via Web Server Exploitation
Palo Alto Networks Unit 42 reported a **previously undocumented Chinese threat actor**, tracked as **CL-UNK-1068**, conducting a multi-year intrusion campaign (observed since at least 2020) against high-value organizations across **South, Southeast, and East Asia**. Targeted sectors include **aviation, energy, government, law enforcement, pharmaceutical, technology, and telecommunications**, with Unit 42 assessing **moderate-to-high confidence** that the primary objective is **cyber espionage** (while not fully ruling out criminal motives). The assessment cites tool provenance, linguistic artifacts in configurations, and consistent long-term targeting of Asian critical infrastructure as key factors supporting attribution. The activity features exploitation of **internet-facing web servers** to deploy **web shells** and establish persistence across both Windows and Linux environments, using a mix of custom malware, modified open-source tools, and **living-off-the-land binaries (LOLBINs)**. Reported tooling includes **Godzilla** and **ANTSWORD** web shells, the **Xnote** Linux backdoor, and **Fast Reverse Proxy (FRP)** for tunneling/relay; post-compromise behavior includes lateral movement and targeted file theft from Windows web servers (e.g., `c:\inetpub\wwwroot`) focusing on files such as `web.config`, `.aspx`, `.asmx`, `.asax`, and `.dll`, consistent with credential access and follow-on exploitation discovery.
Mar 21, 2026
China-Linked CL-STA-1087 Spied on Southeast Asian Militaries With AppleChris and MemFun
Palo Alto Networks Unit 42 disclosed a long-running cyberespionage campaign, tracked as **CL-STA-1087**, that has targeted military organizations across Southeast Asia since at least 2020. The intrusions were aimed at collecting highly specific intelligence on military capabilities, organizational structures, **C4I** environments, joint military efforts, official meeting records, and cooperation with Western armed forces, rather than conducting broad data theft. Researchers said the activity was first uncovered after suspicious PowerShell behavior on an unmanaged endpoint exposed an already-established foothold, with the attackers using delayed execution, dormant periods lasting months, and reverse shells to preserve stealth and support long-term access. The operation used custom malware including the **AppleChris** backdoor, the in-memory **MemFun** backdoor, and **Getpass**, a modified Mimikatz-based credential theft tool. Investigators reported tradecraft including DLL hijacking, process hollowing, reflective DLL loading, timestomping, malicious Windows service creation, and lateral movement with WMI and native .NET tooling across domain controllers, web servers, IT workstations, and executive systems. Command-and-control traffic was hidden through dead-drop resolvers on legitimate services such as **Pastebin** and **Dropbox**, while infrastructure patterns, UTC+8 working hours, China-based cloud hosting, and Simplified Chinese artifacts led researchers to assess the campaign with moderate confidence as China-linked state-backed espionage.
Jun 8, 2026