All news with #bookworm tag

China-linked PlugX and Bookworm Target Asian Telecoms

🔍 Cisco Talos and Palo Alto Networks Unit 42 describe concurrent campaigns distributing a revised PlugX variant and the long‑running Bookworm RAT against telecommunications and manufacturing organizations across Central and South Asia and ASEAN countries. Talos found that the PlugX sample borrows RainyDay and Turian techniques — DLL side‑loading of a Mobile Popup Application, XOR‑RC4‑RtlDecompressBuffer payload processing and reuse of RC4 keys — and includes an embedded keylogger. Researchers note the PlugX configuration now mirrors RainyDay’s structure, suggesting links to Lotus Panda/Naikon or shared tooling, while Unit 42 highlights Bookworm’s modular leader/DLL architecture, UUID-encoded shellcode variants, and use of legitimate-looking C2 domains to blend with normal traffic.

Bookworm Linked to Stately Taurus — Unit 42 Analysis

🔎 This Unit 42 case study applies the Unit 42 Attribution Framework to link the Bookworm remote access Trojan to the Chinese APT group Stately Taurus by combining malware analysis, tooling, OPSEC, infrastructure, victimology, and timelines. Analysts highlighted embedded PDB paths, a UUID-based shellcode encoding technique, and co-occurrence with a custom tool named ToneShell. Overlapping C2 IPs and domains, consistent targeting in Southeast Asia, and closely aligned compile times supported a high-confidence attribution. Palo Alto Networks also lists protections across WildFire, NGFW, URL/DNS filtering, Cortex XDR, and incident response contact options.