How a new PlugX variant abuses DLL search order hijacking
Sept. 25, 2025, 7:47 p.m.
Description
A new campaign targeting telecommunications and manufacturing sectors in Central and South Asian countries has been discovered, delivering a new variant of PlugX. The campaign, active since 2022, shows overlaps between RainyDay and Turian backdoors, including the abuse of legitimate applications for DLL sideloading and shared encryption methods. The new PlugX variant's configuration format resembles that of RainyDay, suggesting attribution to Naikon. Analysis of victimology and technical implementation indicates a potential connection between Naikon and BackdoorDiplomacy, possibly sourcing tools from the same vendor. The malware families use similar infection chains, loaders, and shellcode structures, with shared RC4 keys for payload decryption. This campaign highlights the evolving tactics of Chinese-speaking threat actors and the potential collaboration between previously distinct groups.
External References
Tags
Date
- Created: Sept. 25, 2025, 7:15 p.m.
- Published: Sept. 25, 2025, 7:15 p.m.
- Modified: Sept. 25, 2025, 7:47 p.m.
Indicators
- fe4f88bdfff87a94bd57bc16c20d199ee548e551b4aca852bcc013d0955d7ce8
- fd87149d6b8fdcad5d84ba4a3ca52e1cef8f0c54cafca6dbbb5d156f313d79dd
- fd6b1ca0f26e54fa9c97ea15c834e58ffb71798df38071ad00b14f19d6a4126c
- f0ad27f8737ac1a079a52c91d8b5cdd554cd42dccc597de8337e0c25d5287dd2
- f0397688418692c467488ac37d362b9b1efdba8b60b0d99725e2b66f3e03badb
- e29767ffb75be9f363a39ba9b66785ecfc992e3d91ec9fc46515ef94c37dc0b6
- dff0164392e12d2bbb85c630419fd349f9d87f80bdb92774c0b53d7e063e77e4
- def64a0564f33f39235e3778d86863565a40493ae1f5c075552611d79383b471
- c922ef32c4ab94f8b870c62883f3e41755ec705db76ec4efb0d343458f1e28c7
- c91595edd1c9a0a2c1168e3bfa532e4a7dbb6b1380afd80ba445b728622798a4
- b691b2c1846ea75bb5b07a21c8664ecdb6379685623ba45fe6ca552e94a58ebc
- b1ee96026a3fc0ee55dab3b73896e88760f909b3c52d4a0152288d90e63f2e63
- b03fe49036c3830f149135068ff54f5c6c6622008a6fcb7edbf6b352e9a0acc0
- ab526d5ed335860ac2fe0adee26de1a95a3c528299800ddbb4d1e2dd91267252
- aec2d0cbd2f195bf35e55019a29f0d6109451eb85dc7941b73e3b562b065a11c
- a92ed5f831c99bb84208ef7d7c733e0183a79de40f9d3b3be54744951f0a1391
- a12ed375965859d9434c9f651eef2f3663bb076963fec31723176c9083117671
- 906ff72d4ea9cd831c58dc009fb1bbe407e8f430208a63d3dffd3f8e1da73f6e
- 7b028a9bd2bc0c306ab6561cf702406f5925fc073f9d0d2d9408ceccd6907743
- 4c2253777f1b6e54431c28a7a284577bda3464aa82837bbd7de57a00869f0c5b
- 6a7880e14b9f03fe281c28b93094b7b150a1360cbf64dd0b47c87e111db406ca
- 42c9505c2c55b80e0e311cd6da6a5263b946c8ae8bd8162b0280a1e9be7f174b
- 2cc9959ff1172366e71c8ed89be5cb23f17abce1125871fe47a9465f59e6ed17
- 419eabb1c4c9be3ebdd726c73c497dcd2e39245f7e72ffcb67e032fcefe5ba13
- 3480613294bc1e1704616dbf5628b92d7186246b87dbef1c8c3dbae13fe35c8b
- 262df5a17003b3dc06d6eb2fff89eb66709819df8219f2842bfc913be9f85c10
- 2755de59ef87f9f38c236ed860a1f6f41a1d864126f54c4c0a7f87d4b4f63b20
- 1357b4577bd2d99546df2ef5cb4cd3bcbe2a9ee91783eb6798fc7dea660bc5e5
- 10479191f2e06ff11797fc4dda2e38ae6667c9dc396fac32a6cf76965358ade6
- 0ec83d1deb6065cac8ba8f849cdf5672da7313ec2e860a7d71bb7e397e661394
- 0bc51a290919c52cc62b3d8b4eed96609edf264f742d0409c975553b0cdc84a8
- 0443289b1fc556c5ef4bbfa13774500e3936d965799a9c27be0601170601094d
- 03cec3b010853893310fea486ecfddf09642a7a5c695c70db77d22bc7c402234
- 00dbc8a4b3121af5a19504a9d969e36e709556420a6117eb3533f1d2a8100fd9
- f3abb0cc802f3d7b95fc8762b94bdcb13bf39634c40c357301c4aa1d67a256fb
- 66.42.62.253
- 45.114.192.137
- 23.254.225.184
- 141.164.59.111
- 117.254.105.200
- 117.239.199.202
- 103.9.14.218
- 103.172.10.165
- 103.136.45.108
- 36.75.75.75
- 138.112.25.25
- 123.181.24.36
- 71.162.181.51
- pay.googleinstall.com
- mailserver.kozow.com
- asp.asphspes.com
- newsinfom.org
- 2fgithub.com