{ "id": "f66678ec-411d-4edc-aba1-ac47ab08cc9b", "created_at": "2026-04-06T00:12:08.966991Z", "updated_at": "2026-04-10T03:36:33.637668Z", "deleted_at": null, "sha1_hash": "135cb82d29340efcc4ca5acb8e891f88246db0d0", "title": "Unplugging PlugX: Sinkholing the PlugX USB worm botnet", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 902594, "plain_text": "Unplugging PlugX: Sinkholing the PlugX USB worm botnet\r\nBy Sekoia TDR,\u0026nbsp;Felix Aimé\u0026nbsp;and\u0026nbsp;Charles M.\r\nPublished: 2024-04-25 · Archived: 2026-04-05 23:44:23 UTC\r\nTable of contents\r\nPlugX, an old cyber weapon in the Chinese arsenal\r\nWhen things go wrong: adding a wormable component to PlugX.\r\nSinkholing the PlugX worm\r\nFrom sinkholing to disinfection\r\nIndicators of compromise\r\nKey Takeaways\r\nIn September 2023, we successfully sinkholed a command and control server linked to the PlugX\r\nworms. For just $7, we acquired the unique IP address tied to a variant of this worm, which had been\r\npreviously documented by Sophos.\r\n \r\nAlmost four years after its initial launch, between ~90,000 to ~100,000 unique public IP addresses are\r\nstill infected, sending distinctive PlugX requests daily to our sinkhole. We observed in 6 months of\r\nsinkholing more than 2,5M unique IPs connecting to it.\r\nWhile studying the cryptography of PlugX’s communications, we discovered that it was possible to\r\nsend disinfection commands to the compromised workstations. Two approaches can be implemented:\r\none that disinfects only the workstation, and a more intrusive one that disinfects both the workstation and\r\nthe USB drive.\r\nDespite the fact that this worm cannot be completely stopped, we are offering the affected countries\r\nthe possibility of disinfection, with a concept of sovereign disinfection process.\r\nIn March 2023, Sophos published an article entitled “A border-hopping PlugX USB worm takes\r\nits act on the road” putting the light on a PlugX variant with worming capabilities. This vari-ant, created in 2020, aimed to propagate via compromised flash drives, bypass air gaps, infect non internet\r\nfacing networks and steal documents from them. According to the Sophos blogpost, all of these PlugX samples\r\ncommunicate with only one IP address, 45.142.166[.]112 hosted by GreenCloud.\r\nIn September 2023, we managed to take ownership of this IP address to sinkhole that botnet. We initially thought\r\nthat we will have a few thousand victims connected to it, as what we can have on our regular sinkholes. However,\r\nby setting up a simple web server we saw a continuous flow of HTTP requests varying through the time of the\r\nday.\r\nhttps://blog.sekoia.io/unplugging-plugx-sinkholing-the-plugx-usb-worm-botnet/\r\nPage 1 of 11\n\nFacing that, we decided to record the received requests in a database in order to map the infections. In total,\r\nbetween 90 to 100k unique IP addresses are sending PlugX distinctive requests every day to our sinkhole server\r\nsince September 2023. If the botnet can be considered as “dead,” as the operators don’t control it anymore, anyone\r\nwith interception capabilities or taking ownership of this server can send arbitrary commands to the infected host\r\nto re-purpose it for malicious activities.\r\nTherefore, we looked at the concept of sovereign disinfection, by proposing to Law Enforcement Agencies and\r\nnational Computer Emergency Response Teams, to remove the implant from the infected host, remotely.\r\nThis blog post details our process of sinkholing an IP address, the techniques used to gather telemetry from the\r\ninfected workstations, and the inner workings of the communications cryptography of PlugX, enabling remote\r\ndisinfection of workstations.\r\nPlugX, an old cyber weapon in the Chinese arsenal\r\nThe first known version of PlugX was first seen during a Chinese campaign targeting government related users\r\nand a specific organisation in Japan, which started in 2008 according to Trend Micro.\r\nIt was mainly deployed against victims located in Asia until 2012, and then expanded progressively its pool of\r\ntargets to occidental entities. Most of the time, PlugX is loaded by using a DLL Side-Loading scheme where a\r\nlegitimate executable loads a malicious – or patched DLL – which then will map and execute in memory the core\r\ncomponent of PlugX, which resides in an encrypted binary blob on the file system [T1574.002].\r\nThe management interface of PlugX allows the operator to manage several infected hosts with functionalities\r\ncommonly seen in such backdoors as remote command execution, file upload/download, file system exploration,\r\ngrab data in the context of the execution etc.\r\nThis backdoor, initially developed by Zhao Jibin (aka. WHG), evolved throughout the time in different variants.\r\nThe PlugX builder was shared between several intrusion sets, most of them attributed to front companies linked to\r\nthe Chinese Ministry of State Security.\r\nWhen things go wrong: adding a wormable component to PlugX.\r\nIn July 2020, according to several researchers, the operators behind the Mustang Panda intrusion set had the\r\n(bad) idea to implement a wormable component to PlugX, possibly to target multiple countries in one campaign or\r\nexpand its capabilities by reaching non-connected networks in order to steal files from the non-connected – but\r\ninfected – workstations.\r\nThis wormable component infects connected USB flash drives by adding to them a Windows shortcut file taking\r\nthe name of the infected flash drive, and a DLL side loading triad (legitimate executable, malicious DLL and\r\nbinary blob) inside the drive RECYCLER.BIN hidden folder. The legitimate content of the USB devices is moved\r\nto a new directory whose name is the non-breaking space character (hexadecimal ascii code: 0xA0).\r\nAs for the Raspberry Robin USB worm, when a user opens the USB device, only a shortcut with the name of the\r\nUSB device is presented to him, pushing him to click on it. By clicking on the shortcut, the PlugX infection chain\r\nhttps://blog.sekoia.io/unplugging-plugx-sinkholing-the-plugx-usb-worm-botnet/\r\nPage 2 of 11\n\nis executed. PlugX starts by closing the current window and reopening a new one in the directory (as previously\r\nmentioned named 0xA0) containing the legitimate files.\r\nThen, it copies itself to the host inside %userprofile%/AvastSvcpCP/, and enables its persistence by creating a new\r\nkey under HKCU[…]\\CurrentVersion\\Run registry Key. Finally, it re-executes itself from the host before\r\nterminating. Once executed from the host, the worm component of this PlugX variant checks every 30 seconds for\r\nthe connection of a new flash drive to automatically infect it.\r\nWhat could go wrong? The worm, which aims to target specific networks, becomes uncontrollable and replicates\r\nitself on many networks through flash drives, pushing the operators to abandon their unique C2? Indeed, the inner\r\nworkings and the management interface of PlugX was not designed for managing thousands of infected hosts.\r\nThe remaining question is whether the Command and Control (C2) server was subjected to a Distributed Denial of\r\nService (DDoS) attack due to an influx of victims, or was the campaign successful to such an extent that the threat\r\nactors found it feasible to abandon their C2. We don’t know.\r\nOne thing is sure, a very short timeframe – a mere month – was observed between the compilation date for the\r\nDynamic Link Library (DLL) wsc.dll, and the unique noted appearance by a trusted source of the IP address\r\n45.142.166[.]112 acting as a C2 associated to PlugX.\r\nSinkholing some parts of malicious infrastructures by registering expired domain names or non-registered\r\ndomains (in the case of domain generation algorithms or backup infrastructures) is quite common in the Threat\r\nIntelligence landscape. For example, we have done it quite recently one of the infection vectors of the Raspberry\r\nRobin botnet. However, taking ownership of a specific IP address is less common and can sometimes be more\r\nchallenging.\r\nAfter having checked that this IP was not used anymore via nmap, we simply kindly asked the hosting company to\r\ntake ownership of the command and control server used in this campaign 45.142.166[.]112. Thanks to its\r\nhttps://blog.sekoia.io/unplugging-plugx-sinkholing-the-plugx-usb-worm-botnet/\r\nPage 3 of 11\n\nresponsive and comprehensive customer support, we got a shell on a box with this specific IP address for $7 in a\r\nfew minutes, allowing us to start our initial investigation.\r\nIt is worth to know that other variants of this worm exists, and three other C2s are known by the industry. One of\r\nthem in particular (103.56.53[.]46) shows that it has an InetSim listening on it leading us to think that it was\r\nsinkholed silently by other security researchers or… threat actors ?\r\nWhen your SSH lags, it’s a good sign of something bad happening.\r\nUpon establishing a connection to the server, we noted a significant delay, which suggested that multiple attempts\r\nwere being made to access it. By setting up an ephemeral web server for a few seconds, we were bombarded by\r\nthousands of HTTP requests from infected workstations at ~2MB seconds, concluding that even if its C2 was\r\nbeing inactive since 2020, the worm continued to propagate on a global scale.\r\nThe PlugX worm use three different TCP ports (110, 443, 80) to communicate with in raw TCP or HTTP protocol.\r\nIts HTTP requests are quite common for PlugX implants, with their four discriminant headers (*-se, *-st, *-si, *-\r\nsn), as shown below. The attentive reader will note the typo in the hardcoded User-Agent value.\r\nPOST /[a-f0-9]{8} HTTP/1.1\r\nAccept: */*\r\njsp-se: 0\r\njsp-st: 0\r\njsp-si: 61456\r\njsp-sn: 1\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0;Win64;x64)AppleWebKit/537.36\r\nHost: 45.142.166.112:443\r\nContent-Length: 0\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\nTo handle this amount of connection attempts and to map the source of the infected hosts, we created a simple\r\ninfrastructure. Its architecture consisted of an Nginx server, forwarding the connection attempts to a tiny script,\r\nwhich checks that the received HTTP connections were issued by a PlugX instance by looking at the URI and the\r\nheaders.\r\nIf the request matches a PlugX one, the client IP address is forwarded to a second – and more robust – server,\r\nattempting to geolocate the infected workstation, adding it to a database with several metrics such as the\r\nassociated autonomous system, the first seen and last seen time frame, the number of hits and the associated\r\ncountry.\r\nOne point to bear in mind when establishing a sinkhole is the inability to reduce the bandwidth used by the\r\nbeaconing of the compromised workstations. In this specific situation, the consumption fluctuated between 2MB\r\nand 0.8MB per second, depending on the time of day. Therefore, we had to optimise our sinkhole at different\r\nlevels and not respond to all beconing requests to keep our small server.\r\nhttps://blog.sekoia.io/unplugging-plugx-sinkholing-the-plugx-usb-worm-botnet/\r\nPage 4 of 11\n\nFacing to that, we tested two approaches. Our first approach was to forward the request to the backend only if the\r\noutcome of random.randint(0,30) was 15. Given that PlugX continually sends beconing, we considered this an\r\neffective strategy. However, we missed 25% of the compromised workstations because PlugX often beacons for a\r\nshort period of time before being quarantined by a security solution.\r\nMore recently, a transport-level approach was employed. This incorporated the use of iptables’ hashlimit module\r\nwhich facilitated treatment of only one request per minute originating from a unique IP source and port,\r\nsubsequently discarding the rest of the packets – and our answers – by DROPing them.\r\nWhat’s the final goal of this worm? Is the answer in the infected countries?\r\nThe created database enabled us to track the daily progress of worm infections and map them into an interactive\r\nworld map as shown below, which can be accessed through a web portal. As of this writing, the worm has been\r\nobserved in over 170 countries globally.\r\nBefore diving into the sinkhole data, it’s important to acknowledge a few key points. Primarily, it’s a drawback\r\nthat the PlugX C2 communications lack unique victim identifiers, unlike many other implants. Consequently, the\r\nanalysis of the data we’ve gathered relies solely on victim IP addresses, and we must remember that this approach\r\nhas several limitations, such as:\r\nDynamic IP addressing is still present: many internet subscribers still have dynamic IP addressing.\r\nTherefore, one infected workstation can be related to multiple public IP addresses through time.\r\nTherefore, simply presenting a specific number of infections is totally irrelevant in the case of this botnet as it\r\nwill growth every day. However, it can still be interesting to do a ranking of countries by IPs seen reaching our C2\r\nserver – as it can represent the countries where the worm is the most active. Therefore, the following chart shows\r\na snapshot of the most infected countries on 3rd of April, 2024. It reflects a total of 100,952 unique IP addresses.\r\nhttps://blog.sekoia.io/unplugging-plugx-sinkholing-the-plugx-usb-worm-botnet/\r\nPage 5 of 11\n\nBased on that data, it’s notable that around 15 countries account for over 80% of the total infections. It’s also\r\nintriguing to note that the leading infected countries don’t share many similarities, a pattern observed with\r\nprevious USB worms such as RETADUP which has the highest infection rates in Spanish spelling countries. This\r\nsuggests the possibility that this worm might have originated from multiple patient zeros in different countries.\r\nThe geographical distribution of the most infected countries, as presented on the previous map, may indicate a\r\npossible motivation behind this worm. However, this must be taken with a grain of salt, because after four years of\r\nactivities, it had time to spread everywhere.\r\nMany nations, excluding India, are participants in China’s Belt and Road Initiative and have, for most of them,\r\ncoastlines where Chinese infrastructure investments are significant. Analysing the geographical distribution of the\r\ninfections from a security perspective reveals that numerous affected countries are located in regions of strategic\r\nimportance for the security of the Belt and Road Initiative – like the straits of Malacca, Hormuz, Beb-el-Mandeb\r\nor Plak.\r\nConsequently, it is plausible, though not definitively certain as China invests everywhere, that this worm was\r\ndeveloped to collect intelligence in various countries about the strategic and security concerns associated with the\r\nBelt and Road Initiative, mostly on its maritime and economic aspects.\r\nThe likelihood that the targeting is connected to countries participating in the Belt and Road Initiative, or poses a\r\nsecurity threat to it, is notably intriguing that the PlugX worm is linked to Mustang Panda, especially as this\r\nintrusion set is well-known for targeting many countries in the BRI.\r\nhttps://blog.sekoia.io/unplugging-plugx-sinkholing-the-plugx-usb-worm-botnet/\r\nPage 6 of 11\n\nFrom sinkholing to disinfection\r\nAchieving a zombie worm: the questions.\r\nDespite the command and control (C2) server being inactive for a few years, the worm has spread globally since\r\nits creation. Consequently, any individual who either controls the IP address or gains access at any point in the\r\nnetwork pathway between an infected workstation and the C2 server (even when it’s down) might attempt to\r\nmanipulate the worm behaviour, to execute a payload, for example.\r\nFor instance, they could endeavour to execute their own payload on the infected workstation.\r\nThis situation prompted us to consider possible disinfection methods by using our access to this server. In order\r\nto explore these disinfection possibilities effectively, we must delve into three key questions:\r\nThis understanding is vital to prevent side effects and estimate the impact of a disinfection campaign. For\r\nexample, if PlugX is removed from the USB devices, it will have a much bigger impact than if PlugX is only\r\ndeleted from the workstation itself.\r\nReverse is the answer\r\nMany articles document PlugX’s features, whether they pertain to communication protocols or functionalities.\r\nHowever, not every variant implements all known commands. In this case, the number of commands is relatively\r\nlow. Consequently, the first question is easy to answer: this variant does indeed have a self-deletion command\r\n(identified as 0x1005).\r\nThis command is quite straightforward as it requires no arguments. When PlugX receives the self-deletion\r\ncommand 0x1005 in an encrypted payload, it performs the following actions:\r\nRetrieves the current directory path and attempts to delete files and subdirectories.\r\nRetrieves the service name and deletes the corresponding registry key.\r\nCreates a batch file, %TEMP%/del_AsvastSvcpCP.bat, to delete the remaining files.\r\nRuns this script before terminating.\r\nIt is important to note that the deletion takes place from the current execution directory. However, this PlugX\r\nvariant only contacts the C2 when executed from the host. This addresses the second question: it is possible to\r\nremove PlugX from the hosts but not from the infected USB devices.\r\nThe last question is more complex to address. As previously mentioned PlugX can communicate via different\r\nprotocols: TCP and HTTP. TCP communication is the simplest to understand. Each message is divided into two\r\nparts:\r\nAn encrypted 16-byte header\r\nA payload, compressed and then encrypted. This payload contains the arguments of the command (none in\r\nthe case of the deletion command).\r\nThe header contains:\r\nhttps://blog.sekoia.io/unplugging-plugx-sinkholing-the-plugx-usb-worm-botnet/\r\nPage 7 of 11\n\nThe command identifier;\r\nThe size of the encrypted payload;\r\nthe size of the decrypted and decompressed payload.\r\nThe RC4 algorithm is used to encrypt both the header and payload with the same key. This key is the\r\nconcatenation of a hard-coded string in the code (sV!e@T#L$PH%) and the first four bytes of the header sent by\r\nthe C2. It is then straightforward to send a deletion command, especially since there is nothing preventing the\r\nreuse of the same four bytes (to have the same key for all of the victims).\r\nFrom a practical standpoint, we prefer using the HTTP protocol over raw TCP. HTTP communications are based\r\non the same principles as TCP communications even though they require to understand how the state machine of\r\nthe server is implemented via the HTTP headers.\r\nHowever, it is quite straightforward to send the deletion command as it can be sent as a response to the first POST\r\nrequest (corresponding to the session opening) and takes just a few bytes. As we can use the same key suffix for\r\nall of the victims, we can send the same encrypted deletion payload to all of the victims in order to remove the\r\nimplant from them.\r\nRemoving or not removing PlugX form the flash drives…\r\n… that’s the question. Indeed, PlugX hides the files stored on the flash drive, and it is only during the execution of\r\nPlugX that these files are revealed to the user. If a security solution removes one of the files associated with PlugX\r\non the flash drive, the end user will consequently lose easy access to their own files.\r\nThe only disadvantage of this is that the flash drive remains infected. That’s why we thought of implementing our\r\nown payload to send to the workstation using PlugX functionalities. Here, this payload needs to delete PlugX (as\r\nthe auto delete command) but also checks if an infected flash drive is plugged in. In this case, it deletes PlugX\r\nfrom it and restores the original flash drive directory structure.\r\nThis is possible because PlugX allows the upload and execution of a payload using the following commands:\r\nhttps://blog.sekoia.io/unplugging-plugx-sinkholing-the-plugx-usb-worm-botnet/\r\nPage 8 of 11\n\n0x1002: used to create a thread listening to a sequence of more complex command.\r\n0x300e: used to expand a environment variable. It is used to expand the %TEMP% variable.\r\n0x3007, 0x10003008, 0x10003009: upload our payload on the %TEMP% directory (CreateFile, WriteFile,\r\nCloseFile).\r\n0x300c: Create a process from our uploaded payload.\r\nThis strategy requires more commands to send than the previous one but it works. Anyway, there are some\r\nlimitations. We don’t want to add a persistence mechanism to our payload so the infected flash drive needs to be\r\nplugged in when our payload is executed. Furthermore, this process is very intrusive as it modify the directory\r\ntree of the USB key. This is why it’s implementation requires a lot of caution and a code review by peers is\r\nnecessary before any deployment.\r\nLegal implications of wild disinfection.\r\nGiven the potential legal challenges that could arise from conducting a widespread disinfection campaign, which\r\ninvolves sending an arbitrary command to workstations we do not own, we have resolved to defer the decision on\r\nwhether to disinfect workstations in their respective countries to the discretion of national Computer Emergency\r\nResponse Teams (CERTs), Law Enforcement Agencies (LEAs), and cybersecurity authorities.\r\nThe principle behind this concept of sovereign disinfection is pretty simple and straightforward. National CERTs\r\nand/or relevant LEAs ask to receive data from our sinkhole related to their specific countries. This allows them to\r\nassess whether it’s necessary to initiate a disinfection process. Since some workstations located in one country can\r\nconnect to the internet through another country (such as via VPNs or satellite internet providers), these authorities\r\nprovide in return a list of autonomous systems that are OK to be disinfected.\r\nOnce in possession of the disinfection list, we can provide them an access to start the disinfection for a period of\r\nthree months. During this time, any PlugX request from an Autonomous System marked for disinfection will be\r\nresponded to with a removal command or a removal payload.\r\nLimits of wild disinfection as a conclusion\r\nAs stated before, there are limitations to the two discussed methods of remote disinfection. Firstly, the worm has\r\nthe capability to exist on air-gapped networks, which makes these infections beyond our reach. Secondly, and\r\nperhaps more noteworthy, the PlugX worm can reside on infected USB devices for an extended period without\r\nbeing connected to a workstation.\r\nAn additional important aspect to consider is the legal limitations. Worms have to be treated at a global scale but\r\ncan’t if we want to follow the law. Because simply desinfecting a country implies that it could be prone to\r\nreinfection. Evidently, it is a matter of time before these infections reoccur. \r\nTherefore, it is impossible to complete remove this worm, by issuing a unique command to all the infected\r\nworkstations. Consequently, we also strongly recommend that security editors create effective detection rules\r\nagainst this threat on the workstation side to prevent the reuse of this botnet in the future.\r\nUSB devices remain a major infection vector\r\nhttps://blog.sekoia.io/unplugging-plugx-sinkholing-the-plugx-usb-worm-botnet/\r\nPage 9 of 11\n\nMoving beyond the stereotypical scenario of a red-team using a dropped USB device in a parking lot to\r\ncompromise a network, USB devices are still actively employed to infect both isolated and connected networks by\r\nboth cybercrime and state-sponsored threat actors.\r\nTherefore, we encourage you to deploy strong policies against that such as preventing any file execution from a\r\nremovable device or completely disable removable storage in your organisation by applying the right Windows\r\nGroup policies.\r\nThank you for reading this blog post. Please don’t hesitate to provide your feedback on our publications by\r\nclicking here. You can also contact us at tdr[at]sekoia.io for further discussions.\r\nIndicators of compromise\r\nFiles Hashes\r\n432a07eb49473fa8c71d50ccaf2bc980b692d458ec4aaedd52d739cb377f3428\r\ne8f55d0f327fd1d5f26428b890ef7fe878e135d494acda24ef01c695a2e9136d\r\n3a53bd36b24bc40bdce289d26f1b6965c0a5e71f26b05d19c7aa73d9e3cfa6ff\r\n2304891f176a92c62f43d9fd30cae943f1521394dce792c6de0e097d10103d45\r\n8b8adc6c14ed3bbeacd9f39c4d1380835eaf090090f6f826341a018d6b2ad450\r\n6bb959c33fdfc0086ac48586a73273a0a1331f1c4f0053ef021eebe7f377a292\r\nb9f3cf9d63d2e3ce1821f2e3eb5acd6e374ea801f9c212eebfa734bd649bec7a\r\nInfrastructure\r\n45.251.240[.]55\r\n45.142.166[.]112 (Sinkholed by Sekoia)\r\n103.56.53[.]46\r\n43.254.217[.]165\r\nYara rules\r\nrule apt_MustangPanda_PlugXWorm_lnk {\r\n meta:\r\n id = \"bea0b6e6-0999-431d-8ea2-324aa7497657\"\r\n version = \"1.0\"\r\n malware = \"PlugXWorm\"\r\n intrusion_set = \"MustangPanda\"\r\n description = \"Detects PlugXWorm Malicious LNK\"\r\n source = \"Sekoia.io\"\r\n classification = \"TLP:WHITE\"\r\n strings:\r\n $ = \"RECYCLER.BIN\\\\1\\\\CEFHelper.exe\" wide\r\n condition:\r\nhttps://blog.sekoia.io/unplugging-plugx-sinkholing-the-plugx-usb-worm-botnet/\r\nPage 10 of 11\n\nuint32be(0) == 0x4c000000\r\n and filesize \u003c 2KB\r\n and all of them\r\n}\r\nimport \"pe\"\r\nrule apt_MustangPanda_MaliciousDLL_random_exports {\r\n meta:\r\n id = \"d14ae417-bc6f-40b1-a027-084522fce516\"\r\n version = \"1.0\"\r\n intrusion_set = \"MustangPanda\"\r\n description = \"Detects malicious DLL used by MustangPanda\"\r\n source = \"Sekoia.io\"\r\n classification = \"TLP:WHITE\"\r\n strings:\r\n $trait = { 66 89 55 FC }\r\n condition:\r\n pe.is_dll() and filesize \u003c 100KB and\r\n for any e in pe.export_details: (\r\n $trait in (e.offset..e.offset+50)\r\n and e.name matches /^[a-z]{10,}$/\r\n )\r\n and not pe.is_signed\r\n}\r\nFeel free to read other Sekoia TDR (Threat Detection \u0026 Research) analysis here :\r\nShare\r\nmustang panda plugx sinkhole worm\r\nShare this post:\r\nSource: https://blog.sekoia.io/unplugging-plugx-sinkholing-the-plugx-usb-worm-botnet/\r\nhttps://blog.sekoia.io/unplugging-plugx-sinkholing-the-plugx-usb-worm-botnet/\r\nPage 11 of 11\n\nwill growth server – as it every day. However, can represent it can still the countries be interesting where the worm to do a ranking is the most active. of countries by Therefore, the IPs seen reaching following chart our C2 shows\na snapshot of the most infected countries on 3rd of April, 2024. It reflects a total of 100,952 unique IP addresses.\n Page 5 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://blog.sekoia.io/unplugging-plugx-sinkholing-the-plugx-usb-worm-botnet/" ], "report_names": [ "unplugging-plugx-sinkholing-the-plugx-usb-worm-botnet" ], "threat_actors": [ { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434328, "ts_updated_at": 1775792193, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/135cb82d29340efcc4ca5acb8e891f88246db0d0.pdf", "text": "https://archive.orkl.eu/135cb82d29340efcc4ca5acb8e891f88246db0d0.txt", "img": "https://archive.orkl.eu/135cb82d29340efcc4ca5acb8e891f88246db0d0.jpg" } }