{ "id": "587b7718-026a-48e4-8cac-86bc5d0861b2", "created_at": "2026-04-06T00:14:18.25038Z", "updated_at": "2026-04-10T03:36:33.449762Z", "deleted_at": null, "sha1_hash": "6503b8318c081cae088bf9040e0e8463d13d17d1", "title": "PlugX Malware Being Distributed via Vulnerability Exploitation", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1614028, "plain_text": "PlugX Malware Being Distributed via Vulnerability Exploitation\r\nBy ATCP\r\nPublished: 2023-03-02 · Archived: 2026-04-05 20:42:07 UTC\r\nASEC (AhnLab Security Emergency response Center) has recently discovered the installation of the PlugX\r\nmalware through the Chinese remote control programs Sunlogin and Awesun’s remote code execution\r\nvulnerability.\r\nSunlogin’s remote code execution vulnerability (CNVD-2022-10270 / CNVD-2022-03672) is still being used for\r\nattacks even now ever since its exploit code was disclosed. The team previously made a post about how Sliver C2,\r\nXMRig CoinMiner, and Gh0st RAT were being distributed through the Sunlogin RCE vulnerability. Additionally,\r\nsince Gh0st RAT was developed in China, it is the most common RAT used by threat actors based in China. [1]\r\nAweSun is also a remote control program developed in China and, while its specific vulnerability has not been\r\nidentified, it is presumed that a similar RCE vulnerability to that of Sunlogin had been disclosed. The same threat\r\nactors performed an RCE vulnerability exploitation on both Sunlogin and AweSun to install Sliver C2. A previous\r\nblog post has covered the cases that later occurred where similar vulnerability exploitations were used to install\r\nthe Paradise ransomware. [2]\r\n1. PlugX\r\nPlugX is one of the major backdoors used by APT threat groups that are based in China. Its distribution is known\r\nto have started in 2008 and is still being used to this day as variants with additional features are being used for\r\nattacks. Mustang Panda, Winnti, APT3, and APT41 are the main APT threat groups that have used PlugX in their\r\nattacks, and most of them are known to be based in China. [1]\r\nPlugX is a module-based malware that supports various plugins with different features. Therefore, threat actors\r\ncan perform malicious behaviors such as system control and information theft by using the various features from\r\nthese plugins.\r\nAnother characteristic of PlugX is its use of the DLL side-loading method. The DLL side-loading method involves\r\ninstalling a malicious DLL in the same path as a normal program and using the execution of the normal program\r\nto load the malicious DLL, which in turn starts the malicious routine. This is to evade being detected by security\r\nproducts. The normal program becomes the subject performing the malicious behaviors and these behaviors are\r\nthen recognized as the behaviors of a normal program.\r\nPlugX is usually distributed as a compressed file or a dropper, but, either way, the normal EXE file, the malicious\r\nloader DLL that’s going to be used for side-loading with the same filename, and the encoded data files are\r\nultimately created in the same directory. The executable file loads and executes the loader DLL in the same path,\r\nwhich in turn reads and decrypts the data file in the same directory before executing it in the memory. After this\r\nprocess, the malware that is ultimately operating in the memory area is PlugX.\r\nhttps://asec.ahnlab.com/en/49097/\r\nPage 1 of 10\n\n2. PlugX Installed Through Vulnerability Exploitation\r\nASEC is monitoring attacks against systems with either unpatched vulnerabilities or inappropriately configured\r\nsettings. Recently, the team confirmed that PlugX is being installed through the RCE vulnerability exploitation of\r\nSunlogin and AweSun.\r\nAccording to AhnLab’s ASD (AhnLab Smart Defense) log, the team has confirmed that the PowerShell command\r\nexecuted via this vulnerability exploitation creates a file named esetservice.exe.\r\nFigure 1. Log of malware being downloaded through the vulnerability exploitation\r\nesetservice.exe is actually the HTTP Server Service program made by the company ESET, meaning its a normal\r\nfile.\r\nFigure 2. Downloaded HTTP Server Service program made by the company ESET\r\nFurther investigation into related logs revealed that the threat actor also downloaded a file named http_dll.dll aside\r\nfrom esetservice.exe. Additionally, the following is a log from another system that shows the threat actor not only\r\nexploited Sunlogin, but also the AweSun vulnerability in their attack.\r\nhttps://asec.ahnlab.com/en/49097/\r\nPage 2 of 10\n\nFigure 3. Additionally downloaded malware\r\nDuring the process of investigating the connection between the two files, it was discovered that the\r\n“esetservice.exe” program has a feature that loads the “http_dll.dll” file in the same directory if executed without\r\nan additional argument. This is a classic DLL side-loading method, and PlugX is most known for using this\r\nmethod.\r\nFigure 4. Routine that loads the http_dll.dll file in the same directory\r\nPlugX is distributed with the normal exe program, the DLL that acts as the loader, and the data file containing the\r\nactual encoded malware, as a set. An analysis of the actual code revealed that the “http_dll.dll” file contains a\r\nroutine to read the “lang.dat” file that is in the same directory before decrypting and executing it.\r\n3. PlugX Dropper and Loader Analysis\r\nDuring the analysis of PlugX, malware using the same “esetservice.exe” and “http_dll.dll” files in their attack was\r\nfound on VirusTotal. This malware is a WinRar Sfx format dropper malware that creates “esetservice.exe,”\r\n“http_dll.dll,” and “lang.dat” upon execution. It then runs “esetservice.exe” to ultimately install and execute\r\nPlugX. While this dropper was not found in the vulnerability exploitation covered above, considering that PlugX’s\r\nC\u0026C address is the same as the download URL used in the vulnerability exploitation, it can be assumed that the\r\nsame threat actor is behind both attacks.\r\nThe PlugX dropper disguises itself as the path of normal programs and creates malware in the\r\n“C:\\ProgramData\\Windows NT\\Windows eset service” path. They are also hidden through the properties setting to\r\nmake them less noticeable by users.\r\nhttps://asec.ahnlab.com/en/49097/\r\nPage 3 of 10\n\nFigure 5. PlugX malware strains created in disguised path\r\nWhen “esetservice.exe” is executed, it loads the “http_dll.dll” file in the same directory, and consequently\r\nexecutes the DllMain() function of “http_dll.dll”. Instead of directly executing the function for loading the\r\n“lang.dat” file, DllMain() modifies the code of “esetservice.exe,” as shown below, before applying a patch so that\r\n“esetservice.exe” loads “http_dll.dll” and branches into the “http_dll.dll” loader routine itself.\r\nFigure 6. Code that has been patched to execute the loader function\r\nThis routine is responsible for loading the “lang.dat” file in the same directory and executing it in the memory.\r\nThe beginning part of the “lang.dat” file is a shellcode. When this code is executed, it decrypts PlugX which has\r\nbeen saved with it and executes it in the memory.\r\nFigure 7. The lang.dat file holding a shellcode and the encoded PlugX\r\n4. Analysis of PlugX\r\nAs explained above, PlugX is a malware that has gone through continuous updates for more than a decade, so all\r\nsorts of variants are being discovered even now. In 2020, a report about the classification and analysis of various\r\nhttps://asec.ahnlab.com/en/49097/\r\nPage 4 of 10\n\nPlugX variants was published on Dr.Web. [2] Security Joes covered the most recently discovered PlugX variants\r\nin 2022. The PlugX that is currently being analyzed is almost identical to the BackDoor.PlugX.38 variant that was\r\nreported on Dr.Web. Excluding the configuration data, it can be assumed that it is the same as the PlugX on the\r\nmost recent Security Joes report. [3]\r\nThe PlugX used in the attack offers various modes according to the argument given. The following is a process\r\ntree that can be found when the PlugX that is currently being analyzed is executed. It can be inferred that the 4\r\nmodes, “100”, “200”, “201”, and “209” are executed in order.\r\nFigure 8. Process tree\r\nWhen the PlugX dropper is executed for the first time, it creates the files “esetservice.exe”, “http_dll.dll”, and\r\n“lang.dat” under the “%PUBLIC%\\Downloads\\” directory before executing “esetservice.exe”. After being loaded\r\nand executed by the “esetservice.exe” process, PlugX uses the create method of WMi’s Win32_Process class to\r\ngive the argument “100” and execute itself again.\r\nWhen executed after being given “100” as an argument, the UAC bypass process is started after an injection\r\nprocess. “runonce.exe” is the process that is targeted and injected with a shellcode. The injected shellcode is\r\nresponsible for abusing the ICMLuaUtil interface to bypass UAC and run the process with admin privileges.\r\n“esetservice.exe” is able to run with admin privileges thanks to this. Afterward, it registers itself as a service and\r\nsets the argument to “200”. When the process reaches this point, it gives the “runonce.exe” process, which is the\r\ntarget of injection again, the argument “201” before executing and injecting itself. “runonce.exe” then gives the\r\nargument “209” to the “msiexec.exe” process responsible for plugins before executing and injecting it. The above\r\nprocedure means that a different mode is executed according to the argument given. A summary of this is\r\ndisplayed below.\r\nArgument Mode\r\nNo argument Initial execution stage\r\n100 UAC bypassing stage\r\n200 Injection stage\r\n201 Main loop #1\r\n202 Main loop #2\r\nhttps://asec.ahnlab.com/en/49097/\r\nPage 5 of 10\n\nArgument Mode\r\n209 Plugin mode\r\n300 Auto-delete\r\nTable 1. Executable modes\r\nThe “lang.dat” holds the configuration data as well as the shellcode and the encoded PlugX. The configuration\r\ndata is also encoded, but it is decoded by the PlugX when it is executed in order to obtain the C\u0026C address and\r\nother configuration information. There are 4 C\u0026C server addresses and they are shown below.\r\nFigure 9. Decrypted configuration data\r\ncdn.imango[.]ink:443\r\napi.imango[.]ink:443\r\napi.imango[.]ink:53\r\ncdn.imango[.]ink:53\r\nThe commands supported by PlugX are almost the same as the BackDoor.PlugX.38 version covered on the\r\nDr.Web report, but they are distinguished by the 2 additional commands, namely the entries 0x0B and 0x0C.\r\nCommand Feature\r\n0x01 Transmits collected information\r\n0x02 Request command again\r\n0x03 Plugin-related\r\nhttps://asec.ahnlab.com/en/49097/\r\nPage 6 of 10\n\nCommand Feature\r\n0x04 Reset connection\r\n0x05 Auto-delete\r\n0x06 Upload configuration data\r\n0x07 Update configuration data\r\n0x08 No actual purpose\r\n0x09 No actual purpose\r\n0x0A Pings port 53 from the transmitted address\r\n0x0B Download and execute files from an external source\r\n0x0C Start service\r\nTable 2. C\u0026C commands\r\nThere are 2 additional plugins supported by PlugX in comparison to the previous BackDoor.PlugX.38 version, one\r\nthat steals information saved to the clipboard and one that is responsible for RDP propagation. More information\r\ncan be found in the Security Joes report published in December 2022.\r\nPlugin\r\nDate Time\r\nStamp\r\nFeature\r\nDisk 0x20120325\r\nTasks related to files (File lookup/reading/writing, process\r\nexecution, etc.)\r\nKeyLog 0x20120324 Keylogging\r\nNethood 0x20120215 Lookup shared network resource information\r\nNetstat 0x20120215 Lookup TCP/UDP connection tables and TCP entry settings\r\nOption 0x02120128 Workstation tasks\r\nPortMap 0x02120325 Cannot recreate\r\nProcess 0x20120204 Lookup processes / modules. Terminate processes\r\nRegEdit 0x20120315 Tasks related to registry (Lookup, create, delete, etc.)\r\nScreen 0x20120220 Screenshot capture and remote desktop\r\nService 0x20120117 Lookup processes/modules. Terminate processes\r\nShell 0x20120305 Remote control shell (Pipe communication)\r\nhttps://asec.ahnlab.com/en/49097/\r\nPage 7 of 10\n\nPlugin\r\nDate Time\r\nStamp\r\nFeature\r\nSQL 0x20120323\r\nTasks related to SQL (Lookup information, command\r\nexecution, etc.)\r\nTelnet 0x20120225 Run as TELNET server\r\nClipLog 0x20190417 Steals clipboard information\r\nRDP 0x20190428 Propagation using the shared RDP folder\r\nTable 3. Plugins supported by PlugX\r\nAdditionally, it is assumed that the location where the stolen data is saved differs for each malware. For example,\r\ncontrary to a past report, the stolen clipboard data is saved to the “clang.aif” file and the keylogging data in the\r\n“ksys.aif” file, both of which are in the installation directory.\r\nFigure 10. Files where the stolen clipboard and keylogging data are stored\r\n5. Conclusion\r\nRecently, there have been confirmed cases where various strains of malware were installed on unpatched and\r\nvulnerable software. Although Sliver, Paradise ransomware, and CoinMiner are the malware that are typically\r\ninstalled through vulnerability exploitations, the team has recently confirmed the distribution of the PlugX\r\nbackdoor.\r\nPlugX is one of the main backdoor malware used by APT threat groups based in China. New features are being\r\nadded to it even to this day as it continues to see steady use in attacks. When the backdoor, PlugX, is installed,\r\nthreat actors can gain control over the infected system without the knowledge of the user. In turn, this allows\r\nvarious malicious behaviors to be performed such as logging key inputs, taking screenshots, and installing\r\nadditional malware.\r\nTherefore, users must update their installed software to the latest version to preemptively prevent vulnerability\r\nexploitations. Also, V3 should be updated to the latest version so that malware infection can be prevented.\r\nhttps://asec.ahnlab.com/en/49097/\r\nPage 8 of 10\n\nFile Detection\r\n– Malware/Win.Generic.C5387131 (2023.02.24.00)\r\n– Trojan/Win.Loader.C5345891 (2022.12.30.02)\r\n– Data/BIN.Plugx (2023.03.03.03)\r\nBehavior Detection\r\n– Malware/MDP.Download.M1197\r\nMD5\r\n709303e2cf9511139fbb950538bac769\r\nd1a06b95c1d7ceaa4dc4c8b85367d673\r\nd973223b0329118de57055177d78817b\r\nAdditional IOCs are available on AhnLab TIP.\r\nURL\r\nhttp[:]//api[.]imango[.]ink[:]53/\r\nhttp[:]//api[.]imango[.]ink[:]8089/esetservice[.]exe\r\nhttp[:]//api[.]imango[.]ink[:]8089/http_dll[.]dll\r\nhttp[:]//cdn[.]imango[.]ink[:]53/\r\nhttps[:]//api[.]imango[.]ink/\r\nAdditional IOCs are available on AhnLab TIP.\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click\r\nthe banner below.\r\nhttps://asec.ahnlab.com/en/49097/\r\nPage 9 of 10\n\nSource: https://asec.ahnlab.com/en/49097/\r\nhttps://asec.ahnlab.com/en/49097/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://asec.ahnlab.com/en/49097/" ], "report_names": [ "49097" ], "threat_actors": [ { "id": "13354d3f-3f40-44ec-b42a-3cda18809005", "created_at": "2022-10-25T15:50:23.275272Z", "updated_at": "2026-04-10T02:00:05.36519Z", "deleted_at": null, "main_name": "APT3", "aliases": [ "APT3", "Gothic Panda", "Pirpi", "UPS Team", "Buckeye", "Threat Group-0110", "TG-0110" ], "source_name": "MITRE:APT3", "tools": [ "OSInfo", "schtasks", "PlugX", "LaZagne", "SHOTPUT", "RemoteCMD" ], "source_id": "MITRE", "reports": null }, { "id": "761d1fb2-60e3-46f0-9f1c-c8a9715967d4", "created_at": "2023-01-06T13:46:38.269054Z", "updated_at": "2026-04-10T02:00:02.90356Z", "deleted_at": null, "main_name": "APT3", "aliases": [ "GOTHIC PANDA", "TG-0110", "Buckeye", "Group 6", "Boyusec", "BORON", "BRONZE MAYFAIR", "Red Sylvan", "Brocade Typhoon" ], "source_name": "MISPGALAXY:APT3", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "cf826655-5fcb-4331-bdc5-5ef267db9d3c", "created_at": "2025-08-07T02:03:24.631402Z", "updated_at": "2026-04-10T02:00:03.608938Z", "deleted_at": null, "main_name": "BRONZE MAYFAIR", "aliases": [ "APT3 ", "Gothic Panda ", "Pirpi", "TG-0110 ", "UPSTeam" ], "source_name": "Secureworks:BRONZE MAYFAIR", "tools": [ "Cookiecutter", "HUC Proxy Malware (Htran)", "Pirpi", "PlugX", "SplitVPN", "UPS", "ctt", "ctx" ], "source_id": "Secureworks", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434458, "ts_updated_at": 1775792193, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6503b8318c081cae088bf9040e0e8463d13d17d1.pdf", "text": "https://archive.orkl.eu/6503b8318c081cae088bf9040e0e8463d13d17d1.txt", "img": "https://archive.orkl.eu/6503b8318c081cae088bf9040e0e8463d13d17d1.jpg" } }