The Latest PlugX Variant Executed by STATICPLUGIN
Essential information
- Published
- 25/02/2026 11:36
- Modified
- 25/02/2026 11:55
- Tags
- 2026-02-25 apt code-signing dll sideloading plugx rc4 encryption staticplugin targeted attack valleyrat
- Related entities
- 11 observables, 1 intrusion sets (apt), 18 techniques (mitre), 4 malware, 2 others
Description
In January 2026, a new variant of the PlugX malware was observed being used in targeted attacks. Analysis suggests involvement of the UNC6384 APT group, linked to Mustang Panda, targeting government agencies in Southeast Asia. The malware uses a browser updater disguise to download and execute a malicious MSI file, leading to PlugX infection. The STATICPLUGIN downloader uses a revoked code-signing certificate from a Chinese company. The PlugX variant employs DLL sideloading and shellcode execution techniques. Its configuration is encrypted using RC4 and custom encoding. C2 servers were identified as fruitbrat[.]com and 108.165.255[.]97:443. The ongoing improvements to PlugX indicate its continued use in targeted attacks by APT groups.