All news with #plugx tag

Chinese Hackers Exploit Hard-to-Patch Windows Shortcut Flaw

🛡️Arctic Wolf reports that Chinese government-linked actors, tracked as UNC6384 and linked to the longer-running Mustang Panda cluster, conducted spear-phishing campaigns in September and October targeting diplomats in Hungary, Belgium, Serbia, Italy and the Netherlands by abusing a long-known Windows .LNK shortcut parsing flaw. The vulnerability allows command-line instructions to be concealed in .LNK whitespace so attackers can display decoy PDFs—such as an agenda for a European Commission meeting—while executing payloads that deploy the PlugX remote-access Trojan. Trend Micro and ZDI previously documented the issue (i.e., ZDI-CAN-25373, later CVE-2025-9491), but Microsoft has so far declined to fully patch it; Arctic Wolf advises blocking or disabling .LNK execution, monitoring for related binaries like cnmpaui.exe, and blocking C2 domains as interim mitigations.

China-Linked UNC6384 Exploits Windows LNK Vulnerability

🔒 A China-affiliated group tracked as UNC6384 exploited an unpatched Windows shortcut flaw (ZDI-CAN-25373, CVE-2025-9491) to target diplomatic and government entities in Europe between September and October 2025. According to Arctic Wolf, the campaign used spear-phishing links to deliver malicious LNK files that launch a PowerShell stager, sideload a CanonStager DLL, and deploy the PlugX remote access trojan. Microsoft says Defender detections and Smart App Control can help block this activity.

Chinese-Linked Hackers Exploit Windows Shortcut Flaw

🔎 Researchers at Arctic Wolf Labs uncovered a September–October 2025 cyber-espionage campaign that used a Windows shortcut vulnerability to target Belgian and Hungarian diplomatic entities. The operation, attributed to UNC6384 and likely tied to Mustang Panda (TEMP.Hex), combined spear phishing with malicious .LNK files exploiting ZDI-CAN-25373 and deployed a multi-stage chain ending in the PlugX RAT. Attackers used DLL side-loading, signed Canon utilities and obfuscated PowerShell to extract and execute an encrypted payload while displaying decoy diplomatic PDFs.

Chinese Hackers Exploit Windows LNK Zero-Day to Spy

🔒 A China-linked threat group is exploiting a high-severity Windows .LNK zero-day (CVE-2025-9491) to deploy the PlugX remote-access trojan against European diplomatic targets. The campaign begins with spearphishing that delivers malicious shortcut files themed around NATO and European Commission events. Researchers at Arctic Wolf Labs and StrikeReady attribute the activity to UNC6384 (Mustang Panda) and report the operation has expanded beyond Hungary and Belgium to other EU states. With no official patch available, defenders are urged to restrict .LNK usage and block identified C2 infrastructure.

China-linked PlugX and Bookworm Target Asian Telecoms

🔍 Cisco Talos and Palo Alto Networks Unit 42 describe concurrent campaigns distributing a revised PlugX variant and the long‑running Bookworm RAT against telecommunications and manufacturing organizations across Central and South Asia and ASEAN countries. Talos found that the PlugX sample borrows RainyDay and Turian techniques — DLL side‑loading of a Mobile Popup Application, XOR‑RC4‑RtlDecompressBuffer payload processing and reuse of RC4 keys — and includes an embedded keylogger. Researchers note the PlugX configuration now mirrors RainyDay’s structure, suggesting links to Lotus Panda/Naikon or shared tooling, while Unit 42 highlights Bookworm’s modular leader/DLL architecture, UUID-encoded shellcode variants, and use of legitimate-looking C2 domains to blend with normal traffic.

Talos: New PlugX Variant Targets Telecom and Manufacturing

🔍 Cisco Talos revealed a new PlugX malware variant active since 2022 that targets telecommunications and manufacturing organizations across Central and South Asia. The campaign leverages abuse of legitimate software, DLL-hijacking techniques and stealthy persistence to evade detection, and it shares technical fingerprints with the RainyDay and Turian backdoors. Talos describes the activity as sophisticated and ongoing. Organizations should update endpoint, email and network protections, review DLL-hijack mitigations and proactively hunt for related indicators.

RainyDay, Turian and PlugX Variant Abuse DLL Hijacking

🛡️ Cisco Talos describes an ongoing campaign in which Naikon-linked actors abused DLL search order hijacking to load multiple backdoors, including RainyDay, a customized PlugX variant and Turian. The report highlights shared loaders that use XOR and RC4 decryption with identical keys and an XOR-RC4-RtlDecompressBuffer unpacking chain. Talos notes the PlugX variant adopts a RainyDay-style configuration and includes embedded keylogging and persistence, with activity observed since 2022 targeting telecom and manufacturing organizations in Central and South Asia. Talos published IOCs and recommended mitigations for detection and prevention.

UNC6384 Uses Captive Portal Hijacks to Deploy PlugX

🔐 Google’s Threat Intelligence Group (GTIG) detected a March 2025 campaign attributed to UNC6384 that uses captive-portal hijacks to deliver a digitally signed downloader called STATICPLUGIN. The downloader (observed as AdobePlugins.exe) retrieves an MSI and, via DLL sideloading through Canon’s IJ Printer Assistant Tool, stages a PlugX variant tracked as SOGU.SEC entirely in memory. Operators used valid TLS and GlobalSign-signed certificates issued to Chengdu Nuoxin Times Technology Co., Ltd, aiding evasion while targeting diplomats and other entities.

Deception in Depth: UNC6384 Hijacks Web Traffic Globally

🛡️ In March 2025, Google Threat Intelligence Group identified a complex espionage campaign attributed to the PRC‑nexus actor UNC6384 that targeted diplomats in Southeast Asia and other global entities. The attackers hijacked web traffic via a captive‑portal and AitM redirect to deliver a digitally signed downloader tracked as STATICPLUGIN, which retrieved a disguised MSI and staged an in‑memory deployment of the SOGU.SEC backdoor (PlugX). The operation abused valid code‑signing certificates, DLL side‑loading via a novel launcher CANONSTAGER, and indirect execution techniques to evade detection. Google issued alerts, added IOCs to Safe Browsing, and recommends enabling Enhanced Safe Browsing, applying updates, and enforcing 2‑Step Verification.