China-nexus Threat Actor Targets Persian Gulf Region With PlugX

Pulse ID: 69bb25ba8958067ca6d112cc
Pulse Link: https://otx.alienvault.com/pulse/69bb25ba8958067ca6d112cc
Pulse Author: Tr1sa111
Created: 2026-03-18 22:22:50

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#China #CyberSecurity #InfoSec #OTX #OpenThreatExchange #PlugX #bot #Tr1sa111

China-nexus Threat Actor Targets Persian Gulf Region With PlugX

A China-nexus threat actor targeted countries in the Persian Gulf region using a multi-stage attack chain to deploy a PlugX backdoor variant. The campaign exploited the renewed Middle East conflict, using an Arabic-language document lure depicting missile attacks. The attack utilized a ZIP archive containing a malicious Windows shortcut file, which downloaded a CHM file leading to the deployment of PlugX. The malware employed various obfuscation techniques, including control flow flattening and mixed boolean arithmetic. The PlugX variant supported HTTPS for command-and-control communication and DNS-over-HTTPS for domain resolution. Based on the tools and tactics used, the activity is attributed to a China-nexus actor, possibly linked to Mustang Panda.

Pulse ID: 69b7dacde783e4b5dec19bde
Pulse Link: https://otx.alienvault.com/pulse/69b7dacde783e4b5dec19bde
Pulse Author: AlienVault
Created: 2026-03-16 10:26:21

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Arabic #BackDoor #China #CyberSecurity #DNS #HTTP #HTTPS #ICS #InfoSec #Malware #MiddleEast #OTX #OpenThreatExchange #PlugX #Windows #ZIP #bot #AlienVault

China-linked hackers targeted #Qatar using fake war news to spread PlugX backdoors and launch cyber-espionage attacks on military and energy sectors.

https://hackread.com/china-hackers-qatar-backdoor-fake-war-news/

#CyberSecurity #China #PlugX #CyberAttack #Malware

PlugX Meeting Invitation via MSBuild and GDATA

Pulse ID: 69a757e4036551f15fbe4574
Pulse Link: https://otx.alienvault.com/pulse/69a757e4036551f15fbe4574
Pulse Author: Tr1sa111
Created: 2026-03-03 21:51:32

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #MSBuild #OTX #OpenThreatExchange #PlugX #bot #Tr1sa111

PlugX Meeting Invitation via MSBuild and GDATA

A recent PlugX campaign utilized phishing emails with a 'Meeting Invitation' lure to deploy malware through DLL side-loading. The infection chain begins with a zip file containing a malicious .csproj file and MSBuild executable. The .csproj file downloads three components: a legitimate G DATA Antivirus executable, a malicious Avk.dll (PlugX variant), and an encrypted AVKTray.dat file. The malware uses DLL side-loading, API hashing, and XOR encryption for obfuscation. It establishes persistence via the Run registry key and communicates with a command and control server. The campaign showcases PlugX's continued evolution while maintaining its core characteristics, highlighting its ongoing relevance in cyber-espionage operations.

Pulse ID: 69a3ce16b33dca316675f3f3
Pulse Link: https://otx.alienvault.com/pulse/69a3ce16b33dca316675f3f3
Pulse Author: AlienVault
Created: 2026-03-01 05:26:46

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #Email #Encryption #Espionage #ICS #InfoSec #MSBuild #Malware #OTX #OpenThreatExchange #Phishing #PlugX #RAT #ZIP #bot #cyberespionage #AlienVault

PlugX Meeting Invitation via MSBuild and GDATA

Pulse ID: 69a19ec30f2a3dc1cd0a8bbc
Pulse Link: https://otx.alienvault.com/pulse/69a19ec30f2a3dc1cd0a8bbc
Pulse Author: CyberHunter_NL
Created: 2026-02-27 13:40:19

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #MSBuild #OTX #OpenThreatExchange #PlugX #bot #CyberHunter_NL

The Latest PlugX Variant Executed by STATICPLUGIN

Pulse ID: 699fcc469f29056be52fd3a4
Pulse Link: https://otx.alienvault.com/pulse/699fcc469f29056be52fd3a4
Pulse Author: Tr1sa111
Created: 2026-02-26 04:29:58

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #OTX #OpenThreatExchange #PlugX #bot #Tr1sa111

The Latest PlugX Variant Executed by STATICPLUGIN

In January 2026, a new variant of the PlugX malware was observed being used in targeted attacks. Analysis suggests involvement of the UNC6384 APT group, linked to Mustang Panda, targeting government agencies in Southeast Asia. The malware uses a browser updater disguise to download and execute a malicious MSI file, leading to PlugX infection. The STATICPLUGIN downloader uses a revoked code-signing certificate from a Chinese company. The PlugX variant employs DLL sideloading and shellcode execution techniques. Its configuration is encrypted using RC4 and custom encoding. C2 servers were identified as fruitbrat[.]com and 108.165.255[.]97:443. The ongoing improvements to PlugX indicate its continued use in targeted attacks by APT groups.

Pulse ID: 699edea96aa1a8d035261fc9
Pulse Link: https://otx.alienvault.com/pulse/699edea96aa1a8d035261fc9
Pulse Author: AlienVault
Created: 2026-02-25 11:36:09

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Asia #Browser #Chinese #CyberSecurity #Government #InfoSec #Malware #OTX #OpenThreatExchange #PlugX #RAT #ShellCode #SideLoading #bot #AlienVault

📰 China-Backed Group Exploits Unpatched Windows Flaw to Spy on EU Diplomats

⚠️ China-linked hackers (UNC6384) exploit unpatched Windows flaw CVE-2025-9491 to spy on EU diplomats. Attacks use malicious LNK files to deploy PlugX RAT. Microsoft has declined to patch the vulnerability. #CyberEspionage #ZeroDay #PlugX

🔗 https://cyber.netsecops.io/articles/china-linked-unc6384-exploits-unpatched-windows-flaw-to-spy-on-european-diplomats/?utm_source=mastodon&utm_medium=socia…