{ "id": "931f7ce9-5dca-4800-bf41-02527a59ac6a", "created_at": "2026-04-06T00:08:47.424868Z", "updated_at": "2026-04-10T13:11:32.645016Z", "deleted_at": null, "sha1_hash": "38b1693a956655c20c89fd655befeeb258db93a7", "title": "TA416's Golang PlugX Malware Loader | Proofpoint US", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 452338, "plain_text": "TA416's Golang PlugX Malware Loader | Proofpoint US\r\nBy November 23, 2020 The Proofpoint Threat Research Team\r\nPublished: 2020-11-23 · Archived: 2026-04-02 10:53:52 UTC\r\nExecutive Summary \r\nFollowing the Chinese National Day holiday in September, Proofpoint researchers observed a resumption of activity by the\r\nAPT actor TA416. Historic campaigns by this actor have also been publicly attributed to “Mustang Panda” and “RedDelta”.\r\nThis new activity appears to be a continuation of previously reported campaigns that have targeted entities associated with\r\ndiplomatic relations between the Vatican and the Chinese Communist Party, as well as entities in Myanmar. The targeting of\r\norganizations conducting diplomacy in Africa has also been observed. Proofpoint researchers have identified updates to the\r\nactor’s toolset which is used to deliver PlugX malware payloads. Specifically, researchers identified a new Golang variant of\r\nTA416’s PlugX malware loader and identified consistent usage of PlugX malware in targeted campaigns. As this group\r\ncontinues to be publicly reported on by security researchers, they exemplify a persistence in the modification of their toolset\r\nto frustrate analysis and evade detection. While baseline changes to their payloads do not greatly increase the difficulty of\r\nattributing TA416 campaigns, they do make automated detection and execution of malware components independent from\r\nthe infection chain more challenging for researchers. This may represent efforts by the group to continue their pursuit of\r\nespionage objectives while maintaining an embattled toolset and staying out of the daily Twitter conversation popular\r\namongst threat researchers. \r\nRenewed Phishing Activity \r\nAfter nearly a month of inactivity following publications by threat researchers, Proofpoint analysts have identified limited\r\nsigns of renewed phishing activity that can be attributed to the Chinese APT group TA416 (also referred to as Mustang\r\nPanda and RedDelta) 1. Recorded Future researchers have previously noted historic periods of dormancy following\r\ndisclosure of TA416’s targeted campaigns.2 This most recent period of inactivity encompassed September 16, 2020 through\r\nOctober 10, 2020. Notably this time period included the Chinese National holiday referred to as National Day and the\r\nfollowing unofficial vacation period “Golden Week”. The resumption of phishing activity by TA416 included a continued\r\nuse of social engineering lures referencing the provisional agreement recently renewed between the Vatican Holy See and\r\nthe Chinese Communist Party “CCP”.3 Additionally, spoofed email header from fields were observed that appear to imitate\r\njournalists from the Union of Catholic Asia News. This confluence of themed social engineering content suggests a\r\ncontinued focus on matters pertaining to the evolving relationship between the Catholic Church and the “CCP”. \r\nPlugX Malware Analysis \r\nProofpoint researchers identified two RAR archives which serve as PlugX malware droppers. One of these files was found\r\nto be a self-extracting RAR archive. For the purposes of this analysis the self-extracting archive file\r\nAdobelmdyU.exe|930b7a798e3279b7460e30ce2f3a2deccbc252f3ca213cb022f5b7e6a25a0867 was examined. The initial\r\ndelivery vector for these RAR archives could not be identified. However, historically TA416 has been observed including\r\nGoogle Drive and Dropbox URLs within phishing emails that deliver archives containing PlugX malware and related\r\ncomponents. Once the RAR archive is extracted four files are installed on the host and the portable executable Adobelm.exe\r\nis executed. The installed files include: \r\nAdobelm.exe|0459e62c5444896d5be404c559c834ba455fa5cae1689c70fc8c61bc15468681 \r\nA legitimate Adobe executable used in the DLL Side-Loading of Hex.dll. \r\nAdobehelp.exe|e3e3c28f7a96906e6c30f56e8e6b013e42b5113967d6fb054c32885501dfd1b7 \r\nAn unused binary that has been previously observed in malicious RAR archives linked to TA416. \r\nhex.dll|235752f22f1a21e18e0833fc26e1cdb4834a56ee53ec7acb8a402129329c0cdd \r\nA Golang binary which decrypts and loads adobeupdate.dat (the PlugX payload). \r\nadobeupdate.dat|afa06df5a2c33dc0bdf80bbe09dade421b3e8b5990a56246e0d7053d5668d91 \r\n The encrypted PlugX malware payload. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta416-goes-ground-and-returns-golang-plugx-malware-loader\r\nPage 1 of 5\n\nFigure 1: PlugX Malware Execution Diagram \r\nFollowing RAR extraction, Adobelm.exe, a legitimate PE that is used for the DLL side-loading of hex.dll, is executed. It\r\ncalls a PE export function of hex.dll named CEFProcessForkHandlerEx. Historically, TA416 campaigns have used the file\r\nname hex.dll and the same PE export name to achieve DLL side-loading for a Microsoft Windows PE DLL. These files\r\nserved as loaders and decryptors of encrypted PlugX malware payloads. The file would read, load, decrypt, and execute\r\nthe PlugX malware payload (regularly named adobeupdate.dat, as it is in this case).  \r\nThe PlugX malware loader found in this case was identified as a Golang binary. Proofpoint has not previously observed this\r\nfile type in use by TA416. Both identified RAR archives were found to drop the same encrypted PlugX malware file and\r\nGolang loader samples. The Golang loader has a compilation creation time that dates it to June 24, 2020. However,\r\nthe command and control infrastructure discussed later in this posting suggests that the PlugX malware payload and Golang\r\nloader variant were used after August 24, 2020. Despite the file type of the PlugX loader changing, the functionality remains\r\nlargely the same. It reads the file adobeupdate.dat, retrieves the XOR key beginning at offset x00 and continues until it reads\r\na null byte. It then decrypts the payload, and finally executes the decrypted adobeupdate.dat. This results in the execution of\r\nthe PlugX malware payload which ultimately calls out to the command and control IP 45.248.87[.]162. The following\r\nregistry key is also created during this process which runs at startup establishing the malware’s persistence. Notably the\r\nsample uses the distinct file installation directory “AdobelmdyU”. \r\nRegistry Key  Data \r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\AdobelmdyU \r\n\"C:\\ProgramData\\Adobe\\Adobe\r\n402 \r\nFigure 2: PlugX malware Registry Key established for malware persistence. \r\nConsistent TA416 Tools \r\nThe PlugX malware payload, unlike the Golang loader variant, seems to remain consistent when compared with previous\r\nversions.  \r\nHistorical analysis conducted by Avira and Recorded Future has documented that the\r\nencrypted PlugX payloads, which have been disguised as data and gif files, are in fact encrypted PE DLL files. These\r\nencrypted files contain a hardcoded XOR decryption key that begins at offset x00 and continues until a null byte is\r\nread.4 In this case the Golang Binary PlugX loader reads the encryption key in the same manner from x00 to null\r\nbyte, with the hardcoded key ending at offset x09. This represents continued usage of an anti-analysis method which\r\nmakes the execution of PlugX payloads more complex and complicates the detection of command and\r\ncontrol infrastructure which the malware communicates with. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta416-goes-ground-and-returns-golang-plugx-malware-loader\r\nPage 2 of 5\n\nHardcoded Decryption Key / Byte Sequence \r\n66 59 50 6C 79 73 43 46 6C 6B \r\nFigure 3: PlugX malware XOR decryption key. \r\n Figure 4: PlugX malware byte sequence and hardcoded XOR decryption key. \r\nFollowing decryption, the resulting file reflects a valid PE header for the PlugX malware payload. Shellcode appears\r\nbetween the MZ header and the DOS message. The function of this shellcode is to write the PE DLL into RWX\r\nmemory and begin execution at the beginning of the file. This establishes an entry point for the payload and prevents\r\nan entry point not found error when executing the malware. This is a common technique observed by many malware\r\nfamilies and is not exclusive to TA416 PlugX variants. This shellcode is unlikely to appear in legitimate software\r\nDLLs.\r\nFigure 5: PlugX malware byte sequence and XOR decryption key.\r\nCommand and Control Infrastructure \r\nThe command and control communication observed by these PlugX malware samples are consistent with previously\r\ndocumented versions. The C2 traffic was successfully detected by an existing Proofpoint Emerging Threats Suricata\r\nsignature for PlugX malware which is publicly available as part of the ET OPEN public ruleset.5 The following IP and\r\nexample command and control communication URLs were identified: \r\n45.248.87[.]162 \r\nhxxp://45.248.87[.]162/756d1598 \r\nhxxp://45.248.87[.]162/9f86852b \r\nFurther research regarding the command and control IP indicated that it was hosted by the Chinese Internet Service\r\nProvider Anchnet Asia Limited. It appeared to be active and in use as a command and control server from at least August 24,\r\n2020 through September 28, 2020. It is notable that this time period predates the period of dormancy discussed above that\r\nlikely resulted from Recorded Future’s publication on TA416 activity. Additionally, it indicates that this server ceased being\r\nused during this dormancy period possibly indicating an infrastructure overhaul by actors during this time. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta416-goes-ground-and-returns-golang-plugx-malware-loader\r\nPage 3 of 5\n\nFigure 6: RiskIQ data indicating TA416 command and control server’s period of activity. \r\nConclusion \r\nContinued activity by TA416 demonstrates a persistent adversary making incremental changes to documented toolsets so\r\nthat they can remain effective in carrying out espionage campaigns against global targets. The introduction of a\r\nGolang PlugX loader alongside continued encryption efforts for PlugX payloads suggest that the group may be conscious of\r\nincreased detection for their tools and it demonstrates adaptation in response to publications regarding their campaigns.\r\nThese tool adjustments combined with recurrent command and control infrastructure revision suggests that TA416 will\r\npersist in their targeting of diplomatic and religious organizations. While the specifics of the tools and procedures have\r\nevolved it appears their motivation and targeted sectors likely remain consistent. TA416 continues to embody the persistent\r\naspect of “APT” actors and Proofpoint analysts expect to continue to detect this activity in the coming months. \r\nIOCs \r\nIOC \r\nIOC\r\nType \r\nDescription \r\n930b7a798e3279b7460e30ce2f3a2deccbc252f3ca213cb022f5b7e6a25a0867  SHA256 \r\nAdobelmdyU.exe                                                     RAR\r\nArchive Containing PlugX  \r\n6a5b0cfdaf402e94f892f66a0f53e347d427be4105ab22c1a9f259238c272b60  SHA256 \r\nAdobel.exe                                                                    Sel\r\nExtracting RAR Archive Containing PlugX  \r\n0459e62c5444896d5be404c559c834ba455fa5cae1689c70fc8c61bc15468681  SHA256 \r\nAdobelm.exe                                                      Legitimat\r\nPE that loads Golang PlugX Loader \r\n235752f22f1a21e18e0833fc26e1cdb4834a56ee53ec7acb8a402129329c0cdd  SHA256 \r\nhex.dll                                                                         \r\nGolang binary PlugX Loader \r\ne3e3c28f7a96906e6c30f56e8e6b013e42b5113967d6fb054c32885501dfd1b7  SHA256 \r\nAdobeHelp.exe                                                         Unus\r\nPE File \r\nafa06df5a2c33dc0bdf80bbe09dade421b3e8b5990a56246e0d7053d5668d917  SHA256 \r\nadobeupdate.dat                                                     \r\nEncrypted PlugX Payload \r\n45.248.87[.]162  C2 IP  Command and control IP \r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node \r\n\\Microsoft\\ Windows\\CurrentVersion\\Run\\AdobelmdyU \r\nRegKey  Registry Key that establishes PlugX malware persistence\r\nEmerging Threats Signatures  \r\n2018228 - et trojan possible plugx common header struct \r\nReferences: \r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta416-goes-ground-and-returns-golang-plugx-malware-loader\r\nPage 4 of 5\n\n1\r\n Chinese State-Sponsored Group ‘RedDelta’ Targets the Vatican and Catholic Organizations \r\n2\r\n Back Despite Disruption: RedDelta Resumes Operations\r\n3\r\n Holy See and China renew Provisional Agreement for 2 years\r\n4\r\n New wave of PlugX targets Hong Kong\r\n5\r\n Emerging Threats Ruleset\r\nSource: https://www.proofpoint.com/us/blog/threat-insight/ta416-goes-ground-and-returns-golang-plugx-malware-loader\r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta416-goes-ground-and-returns-golang-plugx-malware-loader\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA", "MITRE", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/ta416-goes-ground-and-returns-golang-plugx-malware-loader" ], "report_names": [ "ta416-goes-ground-and-returns-golang-plugx-malware-loader" ], "threat_actors": [ { "id": "aa90ad17-8852-4732-9dba-72ffb64db493", "created_at": "2023-07-11T02:00:10.067957Z", "updated_at": "2026-04-10T02:00:03.367801Z", "deleted_at": null, "main_name": "RedDelta", "aliases": [], "source_name": "MISPGALAXY:RedDelta", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "b5449533-0ff1-4048-999d-7d4bfd8e6da6", "created_at": "2022-10-25T16:07:24.114365Z", "updated_at": "2026-04-10T02:00:04.869887Z", "deleted_at": null, "main_name": "RedDelta", "aliases": [ "Operation Dianxun", "TA416" ], "source_name": "ETDA:RedDelta", "tools": [ "Agent.dhwf", "Agentemis", "Chymine", "Cobalt Strike", "CobaltStrike", "Darkmoon", "Destroy RAT", "DestroyRAT", "Gen:Trojan.Heur.PT", "Kaba", "Korplug", "PlugX", "Poison Ivy", "RedDelta", "SPIVY", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Xamtrav", "cobeacon", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434127, "ts_updated_at": 1775826692, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/38b1693a956655c20c89fd655befeeb258db93a7.pdf", "text": "https://archive.orkl.eu/38b1693a956655c20c89fd655befeeb258db93a7.txt", "img": "https://archive.orkl.eu/38b1693a956655c20c89fd655befeeb258db93a7.jpg" } }