Mustang Panda targets Asia with advanced PlugX variant DOPLUGS

PlugX Variant DOPLUGS

The China-linked threat actor known as Mustang Panda has targeted several Asian countries using a variant of the PlugX (aka Korplug) backdoor called DOPLUGS.

“The piece of custom PlugX malware differs from the general type of PlugX malware that contains a completed backdoor command module, and the former is only used to download the latter,” said Trend Micro researchers Sunny Lu and Pierre Lee. said in a new technical article.

DOPLUGS targets were mainly in Taiwan and Vietnam, and to a lesser extent in Hong Kong, India, Japan, Malaysia, Mongolia and even China.

PlugX is a base tool of Mustang Panda, which is also followed as BASIN, Bronze President, Camaro Dragon, Earth Preta, HoneyMyte, RedDelta, Red Lich, Stately Taurus, TA416 and TEMP.Hex. It is known to be active since at least 2012, although it first came to light in 2017.


The threat actor’s craft consists of executing well-crafted spearphishing campaigns designed to deploy tailor-made malware. It also has a track record of deploying its own custom PlugX variants, such as RedDeltaThor, Hodur and DOPLUGS (distributed through a campaign called SmugX) since 2018.

Compromise chains use a range of different tactics, using phishing messages as a channel to deliver a first-stage payload that, while displaying a decoy document to the recipient, surreptitiously extracts a legitimate, signed executable that is vulnerable is for side-loading DLL to side-load a dynamic-link library (DLL), which in turn decodes and runs PlugX.

The PlugX malware then fetches the Poison Ivy remote access trojan (RAT) or Cobalt Strike Beacon to connect to a Mustang Panda-controlled server.

In December 2023, Lab52 discovered a Mustang Panda campaign targeting Taiwanese political, diplomatic and government agencies using DOPLUGS, but with a notable difference.

“The malicious DLL is written in the Nim programming language,” says Lab52 said. “This new variant uses its own implementation of the RC4 algorithm to decrypt PlugX, unlike previous versions that use the Windows Cryptsp.dll library.”

First documented by Secureworks in September 2022, DOPLUGS is a downloader with four backdoor commands, one of which is orchestrated to download the generic type of PlugX malware.


Trend Micro said it has also identified DOPLUGS samples integrated with a module known as Kill someonea plugin responsible for malware distribution, information gathering and document theft via USB drives.

This variant is equipped with an additional startup component that runs the legitimate executable to perform DLL sideloading, in addition to supporting functionality to run commands and download the next stage malware from an actor-controlled server.

It is worth noting that there was a modified PlugX variant, including the KillSomeOne module designed for distribution via USB exposed already in January 2020 by Avira as part of attacks targeting Hong Kong and Vietnam.

“This shows that Earth Preta has been refining its tools for some time and is continually adding new functionalities and features,” the researchers said. “The group remains very active, especially in Europe and Asia.”

#Mustang #Panda #targets #Asia #advanced #PlugX #variant #DOPLUGS

Notify of
Inline Feedbacks
View all comments
Previous Post
New Wi-Fi Vulnerabilities

New Wi-Fi vulnerabilities expose Android and Linux devices to hackers

Next Post
SaaS Identity Governance

6 Ways to Simplify SaaS Identity Management

Related Posts