PlugX Meeting Invitation via MSBuild and GDATA

A recent PlugX campaign utilized phishing emails with a 'Meeting Invitation' lure to deploy malware through DLL side-loading. The infection chain begins with a zip file containing a malicious .csproj file and MSBuild executable. The .csproj file downloads three components: a legitimate G DATA Antivirus executable, a malicious Avk.dll (PlugX variant), and an encrypted AVKTray.dat file. The malware uses DLL side-loading, API hashing, and XOR encryption for obfuscation. It establishes persistence via the Run registry key and communicates with a command and control server. The campaign showcases PlugX's continued evolution while maintaining its core characteristics, highlighting its ongoing relevance in cyber-espionage operations.

Pulse ID: 69a3ce16b33dca316675f3f3
Pulse Link: https://otx.alienvault.com/pulse/69a3ce16b33dca316675f3f3
Pulse Author: AlienVault
Created: 2026-03-01 05:26:46

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #Email #Encryption #Espionage #ICS #InfoSec #MSBuild #Malware #OTX #OpenThreatExchange #Phishing #PlugX #RAT #ZIP #bot #cyberespionage #AlienVault