{
	"id": "f153817d-072a-4455-8986-ee992b96c32a",
	"created_at": "2026-04-06T00:09:57.016445Z",
	"updated_at": "2026-04-10T03:21:24.477467Z",
	"deleted_at": null,
	"sha1_hash": "598fb2ef197126f4efb1e9ee5c49eae50c7bb813",
	"title": "Unmasking the Enigma: A Historical Dive into the World of PlugX Malware | Splunk",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 5117310,
	"plain_text": "Unmasking the Enigma: A Historical Dive into the World of PlugX\r\nMalware | Splunk\r\nBy Splunk Threat Research Team\r\nPublished: 2023-12-06 · Archived: 2026-04-05 15:04:35 UTC\r\nIn the ever-evolving landscape of cybersecurity threats, one name that consistently surfaces as a force to be\r\nreckoned with is \"PlugX.\" This covert and insidious malware has left a trail of digital intrigue, combining\r\nadvanced features with a knack for eluding detection. Its history is interwoven with cyber espionage, targeted\r\nattacks, and a continuous cat-and-mouse game with security experts (1)(2).\r\nThe Splunk Threat Research Team (STRT) unravels the mystery of a PlugX variant, peeling back the layers of its\r\npayload, tactics, and impact on the digital realm. Join us as we delve into the dark corridors of this malware,\r\nexploring its side loading technique and how it executes its malicious code in the compromised host .\r\nIn this blog, the STRT provides a deep dive analysis of this threat, including:\r\nPlugX .DAT Payload Extraction\r\nPlugX .CFG Decryption\r\nPlugX Extractor Tool\r\nPlugX Analysis\r\nProcess Masquerading\r\nSystem info discovery\r\nFirewall rule\r\nCreate service\r\nDelete service\r\nDrop Files\r\nImpersonate User\r\nKeylogger and Process Monitoring\r\nMuch like its predecessors, this variant of PlugX leverages the side-loading technique to discreetly execute its\r\nnefarious code. In this intricate sequence, when a user initiates the legitimate 'msbtc.exe,' the malware\r\ndynamically loads the 'version.dll,' a critical component required for the initial layer of decryption of the\r\n'msbtc.dat' file. This first layer decryption employs a RC4 algorithm, discreetly orchestrated by the 'Version.DLL'\r\nwithin its 'VerQueryValueW' export function.\r\nUpon successful decryption of the first layer, PlugX incorporates a set of critical headers, which serve as essential\r\ncomponents in the subsequent decryption and decompression of its final payload. In Figure 1, we provide a\r\nhttps://www.splunk.com/en_us/blog/security/unmasking-the-enigma-a-historical-dive-into-the-world-of-plugx-malware.html\r\nPage 1 of 13\n\ncomprehensive breakdown of these header elements, shedding light on their intricate composition and their pivotal\r\nrole in the functionality of the malware.\r\nFigure 1: The 1st Layer Decrypted PlugX with its header\r\nSubsequently, the malware progresses to the second layer of decryption, which comprises a series of XOR\r\noperations and basic mathematical operations that can be seen in our extraction tool. These transformations are\r\napplied to generate a compressed layer, which is further unpacked using the 'RtlDecompressBuffer()' API. This\r\nmeticulous process culminates in the creation of a headless PlugX payload variant, poised for injection into a\r\ntargeted process. The specific process chosen for this operation will be explored in subsequent sections, shedding\r\nlight on the malware's evasion tactics and persistence strategies.\r\nhttps://www.splunk.com/en_us/blog/security/unmasking-the-enigma-a-historical-dive-into-the-world-of-plugx-malware.html\r\nPage 2 of 13\n\nFigure 2: Decryption and Decompression of PlugX Payload\r\nPlugX .CFG Decryption\r\nDiffering from the decryption process for 'msbtc.dat,' when dealing with the 'msbtc.cfg' file of this particular\r\nPlugX variant, it simplifies the procedure. It solely relies on the identical key and RC4 algorithm as employed by\r\nthe 'Version.DLL' to extract its configuration settings. This streamlined approach emphasizes efficiency in\r\nhandling configuration data, making use of the existing tools to expedite the process.\r\nIn an effort to contribute to the cybersecurity community by facilitating the analysis of this threat and the\r\nextraction of the PlugX payload along with its configuration file, the STRT has taken the initiative to create a\r\nPython tool named plugx_extractor.py. This tool automates the extraction process, ensuring seamless and precise\r\nresults. The extracted data is efficiently saved to a file, simplifying the investigative process and empowering\r\nsecurity professionals to dissect and understand this threat more effectively.\r\nBelow is a short video demo of how this tool extracts both Plugx payload and config files.\r\nhttps://www.splunk.com/en_us/blog/security/unmasking-the-enigma-a-historical-dive-into-the-world-of-plugx-malware.html\r\nPage 3 of 13\n\nFigure 3: plugx_extractor.py Demo\r\nhttps://www.splunk.com/en_us/blog/security/unmasking-the-enigma-a-historical-dive-into-the-world-of-plugx-malware.html\r\nPage 4 of 13\n\nhttps://www.splunk.com/en_us/blog/security/unmasking-the-enigma-a-historical-dive-into-the-world-of-plugx-malware.html\r\nPage 5 of 13\n\nFigure 4: Decrypted PlugX Config\r\nPlugX Analysis\r\nIn the following subheadings, we will conduct an in-depth analysis of the headless Plugx payload that we\r\ndecrypted from the 'mbstc.dat' file.\r\nProcess Masquerading\r\nAfter decrypting the headless PlugX payload from 'msbtc.dat,' it proceeds to inject it into legitimate 'msdtc.exe,'\r\nwhich stands for Microsoft Distributed Transaction Coordinator. This essential Windows service is responsible for\r\nmanaging distributed transactions across various resources, including databases, message queues, and file\r\nsystems.\r\nIn Figure 5, it inspects the command line parameters of the 'msdtc.exe' process. If it detects '-a,' it indicates a fresh\r\nexecution, and if it finds '-b,' it triggers additional features.\r\n \r\nFigure 5: The msdtc.exe with parameter\r\ncheck\r\nSystem Info Discovery\r\nAs part of its beacon communication with the C2 server, the PlugX malware retrieves the compromised host's\r\nusername, computer name, and operating system information.\r\nhttps://www.splunk.com/en_us/blog/security/unmasking-the-enigma-a-historical-dive-into-the-world-of-plugx-malware.html\r\nPage 6 of 13\n\nFigure 6: System Info\r\nDiscovery\r\nIn addition to the aforementioned actions, it will make an attempt to gather network-related information from the\r\ncompromised host by initiating queries to the ipinfo.io website. This data collection process involves retrieving\r\ndetails about the host's external IP address, geographical location, Internet service provider, and other relevant\r\nnetwork-related parameters. By querying ipinfo.io, the malware aims to build a comprehensive profile of the\r\ncompromised host's network environment, which can be further utilized for various malicious activities or\r\ninformation gathering.\r\nhttps://www.splunk.com/en_us/blog/security/unmasking-the-enigma-a-historical-dive-into-the-world-of-plugx-malware.html\r\nPage 7 of 13\n\nFigure 7: Network Info Discovery\r\nFirewall Rule\r\nThe malware initiates a strategic action by adding a firewall rule, which it designates as \"Microsoft Edge.\" This\r\nrule is configured to permit incoming network traffic for a specific TCP port, which is crucial for its\r\ncommunication with the Command and Control (C2) server. In our test environment, we customized the PlugX\r\nconfiguration to establish a connection through port 7777.\r\nBy creating this firewall rule, PlugX manipulates the host's security settings, ensuring that network traffic on the\r\nspecified port is permitted. This allows the malicious software to maintain a covert line of communication with its\r\nremote C2 server through port 7777, thereby enabling the exfiltration of data, execution of commands, and\r\npotentially additional malicious activities. This deliberate manipulation of the firewall settings is a key component\r\nof the malware's ability to operate stealthily within the compromised system.\r\nFigure 8: Add Firewall Rules\r\nCreate Service\r\nhttps://www.splunk.com/en_us/blog/security/unmasking-the-enigma-a-historical-dive-into-the-world-of-plugx-malware.html\r\nPage 8 of 13\n\nDuring its installation process and to establish persistence and gain elevated privileges within the compromised\r\nhost, the malware executes a multifaceted strategy. One of its key actions involves the installation of a service that\r\nis strategically overlaid onto the legitimate \"msbtc.exe\" executable. This service plays a pivotal role in\r\norchestrating the covert operations of the malicious software.\r\nThis service is configured to perform two essential functions:\r\nAutomated Decryption: Once in place, it operates as a sophisticated decryption mechanism. It diligently decrypts\r\nthe concealed, compressed payload and configuration files that constitute the heart of the PlugX malware. This\r\ndecryption process is initiated seamlessly upon the execution of the legitimate \"msbtc.exe.\"\r\nDynamic Payload Loading: Simultaneously, the service facilitates the dynamic loading of the decrypted PlugX\r\npayload and configuration. This allows the PlugX to transition from its concealed state to full functionality as it\r\ninjects itself into the mstdc.exe processes and memory, positioning itself to carry out its malicious agenda.\r\nFigure 9: Create msbtc.exe services\r\nDelete Service\r\nIn the initial execution phase of PlugX, the malware meticulously executes a sequence of actions designed to\r\neliminate or clean-up any traces of its previous installations and related artifacts. This calculated process is\r\nenacted to ensure the seamless and error-free reinstallation of itself, minimizing the likelihood of detection or\r\ninterference. A telling example of this sophisticated housekeeping operation is illustrated in the figure below.\r\nhttps://www.splunk.com/en_us/blog/security/unmasking-the-enigma-a-historical-dive-into-the-world-of-plugx-malware.html\r\nPage 9 of 13\n\nFigure 10: Delete msbtc.exe\r\nservices\r\nDrop Files\r\nAs part of its installation process, the PlugX orchestrates dropping copies of all its essential components that are\r\ncritical to the PlugX overall functionality. The dropped copies are placed specifically in the\r\n\"%programdata%\\MSB\" folder.\r\n \r\nFigure 11: Dropped\r\nFiles\r\nImpersonate User\r\nTo gain privilege escalation, this particular variant of PlugX exhibits a capability to impersonate the currently\r\nlogged-in user by leveraging the \"explorer.exe\" process. This technique allows the malware to adopt the identity\r\nand permissions of the legitimate user, thereby gaining unprecedented access to system resources and sensitive\r\nhttps://www.splunk.com/en_us/blog/security/unmasking-the-enigma-a-historical-dive-into-the-world-of-plugx-malware.html\r\nPage 10 of 13\n\ndata. By disguising its activities within the \"explorer.exe\" process, a common and essential component of the\r\nWindows operating system, PlugX effectively conceals its malicious intentions.\r\n \r\nFigure 12:\r\nImpersonate Logged-on User Through Explorer.exe Process\r\nKeylogger and Process Monitoring\r\nPlugX also possesses a keylogging feature, enabling it to covertly monitor keystrokes and process activities on the\r\ncompromised host. The data collected through this surveillance is discreetly stored in a file located within the\r\n\"%ALLUSERPROFILE%\\MSB\" directory, specifically named \"kl.\" This gathered information plays a pivotal role\r\nin the malware's data collection and exfiltration strategy. Subsequently, the contents of the \"kl\" file are\r\nsystematically read and transmitted to the Command and Control (C2) server.\r\nhttps://www.splunk.com/en_us/blog/security/unmasking-the-enigma-a-historical-dive-into-the-world-of-plugx-malware.html\r\nPage 11 of 13\n\nFigure 13: Keylogger and Process Monitoring\r\nFigure 14: Example of the kl file\r\nDetections\r\nThe Splunk Threat Research Team has curated relevant detections and tagged them to the PlugX Analytic Story to\r\nhelp security analysts detect adversaries leveraging the malware.\r\nThis release used and considered the relevant data endpoint telemetry sources such as:\r\nProcess Execution \u0026 Command Line Logging\r\nWindows Security SACL Event ID, Sysmon, or any Common Information Model compliant EDR\r\ntechnology\r\nhttps://www.splunk.com/en_us/blog/security/unmasking-the-enigma-a-historical-dive-into-the-world-of-plugx-malware.html\r\nPage 12 of 13\n\nWindows Security Event Log\r\nWindows System Event Log\r\nWindows PowerShell Script Block Logging\r\nIndicators of Compromise (IOC)\r\nPlaybooks\r\nNon-hunting detections associated with this analytic story create entries by default in the Splunk Enterprise\r\nSecurity risk index which can be used seamlessly with risk notables and the Risk Notable Playbook Pack.\r\nAdditionally, the Automated Enrichment playbook pack also works well with the output of any of these analytics.\r\nWhy Should You Care?\r\nThis blog helps security analysts, blue teamers, and Splunk customers to identify PlugX malware by enabling the\r\ncommunity to discover the PlugX tactics, techniques and procedures being used by threat actors and adversaries.\r\nBy understanding its behaviors, the STRT was able to generate telemetry and datasets to develop and test Splunk\r\ndetections which are designed to help defend and respond against this threat.\r\nLearn More\r\nYou can find the latest content about security analytic stories on GitHub and in Splunkbase. Splunk Security\r\nEssentials also has all these detections now available via push update. In the upcoming weeks, the Splunk Threat\r\nResearch team will be releasing a more detailed blog post on this analytic story. Stay tuned!\r\nFor a full list of security content, check out the release notes on Splunk Docs.\r\nFeedback\r\nAny feedback or requests? Feel free to put in an issue on Github and we’ll follow up. Alternatively, join us on the\r\nSlack channel #security-research. Follow these instructions If you need an invitation to our Splunk user groups on\r\nSlack.\r\nContributors\r\nWe would like to thank Teoderick Contreras for authoring this post and the entire Splunk Threat Research Team\r\nfor their contributions including Michael Haag, Mauricio Velazco, Lou Stella, Bhavin Patel, Rod Soto, Eric\r\nMcGinnis, and Patrick Bareiss.\r\nSource: https://www.splunk.com/en_us/blog/security/unmasking-the-enigma-a-historical-dive-into-the-world-of-plugx-malware.html\r\nhttps://www.splunk.com/en_us/blog/security/unmasking-the-enigma-a-historical-dive-into-the-world-of-plugx-malware.html\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.splunk.com/en_us/blog/security/unmasking-the-enigma-a-historical-dive-into-the-world-of-plugx-malware.html"
	],
	"report_names": [
		"unmasking-the-enigma-a-historical-dive-into-the-world-of-plugx-malware.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434197,
	"ts_updated_at": 1775791284,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/598fb2ef197126f4efb1e9ee5c49eae50c7bb813.pdf",
		"text": "https://archive.orkl.eu/598fb2ef197126f4efb1e9ee5c49eae50c7bb813.txt",
		"img": "https://archive.orkl.eu/598fb2ef197126f4efb1e9ee5c49eae50c7bb813.jpg"
	}
}