{
	"id": "a67f7bc2-57c4-4793-a86b-e8b5cc34b4af",
	"created_at": "2026-04-06T00:06:27.12059Z",
	"updated_at": "2026-04-10T13:11:47.90263Z",
	"deleted_at": null,
	"sha1_hash": "766ade2464cac7d393f1d1164cb40ec725b78d6b",
	"title": "Investigation into PlugX Uncovers Unique APT Technique",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 597258,
	"plain_text": "Investigation into PlugX Uncovers Unique APT Technique\r\nBy Gilbert Sison, Abraham Camba ( words)\r\nPublished: 2021-01-20 · Archived: 2026-04-05 21:40:53 UTC\r\nAdvanced persistent threats (APT) are known — and are universally dreaded — for their stealth. Actors behind\r\nsuch attacks actively innovate their techniques to evade detection and ensure that they maintain a foothold inside\r\nan environment as long as possible. Through the Apex One with Endpoint Sensor (iES)products, we discovered\r\none such incident wherein an attacker utilized sophisticated techniques in an attempt to exfiltrate sensitive\r\ninformation from a company. The unique tactics, techniques, and procedures (TTPs) used in this attack highlight\r\nthe importance of cross-layered detection and response solutions.\r\nTechnical analysis\r\nDetection\r\nWe noticed the execution of schtasks.exe with the command line parameter “schtasks /create /tn \u003cname\u003e\r\nc:\\programdata\\\u003csoftware name\u003e\\\u003cfile name\u003e.bat /sc /once /st \u003ctime\u003e /ru \u003cuser account\u003e”.  The scheduled\r\ntask was not created for persistence. The batch file that was to be executed had a suspicious name that stood out.\r\nThis prompted us to dig deeper.\r\nEvasion\r\nThe image file of the process residing in the Windows directory that triggered the schtasks command was marked\r\nas normal. However, a quick check on VirusTotal showed that the file's name and usual location differed from\r\nwhat was found in the victim machine.\r\nPlugX and  malicious BLOBs\r\nThe normal file loads a seemingly normal dynamic-link library (DLL) named after a common Microsoft DLL.\r\nHowever, we saw that the hash of the DLL does not match any of the known hashes of a normal DLL.\r\nReversing the file revealed that it was the PlugX loader, a remote access tool (RAT) that has been historically used\r\nin attacks targeting government-related industries and organizations. We then observed that it decrypts, loads, and\r\nexecutes another DLL file named after another Microsoft DLL file, but is actually an encrypted Binary Large\r\nObject (BLOB). Figure 1 below shows the relationship between these three files.\r\nhttps://www.trendmicro.com/en_us/research/21/a/xdr-investigation-uncovers-plugx-unique-technique-in-apt-attack.html\r\nPage 1 of 6\n\nFigure 1. The relationship between the normal file used, the PlugX, and the malicious BLOB\r\nDespite being around for quite some time, PlugX is still effective at evading detection. The variant used in this\r\nattack has three parts:\r\n1. A normal file\r\n2. A DLL loader that the normal file expects to be present\r\n3. An encrypted BLOB file containing the malicious code\r\nOf the three, the loader would be the easiest to detect. However, because the file is so simple and straightforward,\r\nit is easy for attackers to create multiple versions of the said file to evade detection.\r\nDetection support for the BLOB is probably low. Because of its being “free form,” detection engines would have a\r\nhard time parsing through its contents to find the malicious code which potentially made detection for EPPs and\r\nEDR difficult. Aside from this, changing the encryption mechanism or packer would result in a totally different\r\nBLOB. It should be noted that we have also observed an increase use of BLOB files since 2020.\r\nThe malicious code would run in the address space of the normal file. This could allow the malicious code to\r\nevade behavior-monitoring features as endpoint protection platforms (EPP) would see the process as normal. This\r\nis detailed in the next section.\r\nA closer look at PlugX\r\nsvchost injection\r\nThis variant of PlugX (detected by Trend Micro as Backdoor.Win32.PLUGX.DYSGUT), including the code in the\r\nBLOB, launches an svchost.exe process and injects to it. Usually, svchost is launched by services.exe, so the action\r\ndone by PlugX could be used as a trigger for investigation.\r\nSvchost injection is not new — in fact, Trickbotnews- cybercrime-and-digital-threats and other malware variants\r\nuse this technique. The difference between Trickbot and PlugX is that Trickbot is much easier to detect. Trickbot’s\r\nbinary, which is not whitelisted, does the injection; in PlugX’s case, a normal process that is possibly whitelisted,\r\ndoes the injection. It is possible for EPP behavior-monitoring features to allow the action of the whitelisted\r\nprocess to go through. This gives the attacker access to a RAT running inside a normal process.\r\nhttps://www.trendmicro.com/en_us/research/21/a/xdr-investigation-uncovers-plugx-unique-technique-in-apt-attack.html\r\nPage 2 of 6\n\nA unique way of launching tools\r\nOur investigation shows that the attacker used other tools during the attack. The tools used varied from network\r\nscanners to account harvesters. The simplest way of using these tools is to have the injected code in svchost\r\ndownload, drop, and execute the tools. \r\nFigure 2. A straightforward approach to launching a malicious tool\r\nThe approach above, although simple, could potentially generate a lot of suspicious telemetry events –\r\n svchost.exe suddenly launching an unknown application could trigger alerts. To avoid this, the attacker chose a\r\ndifferent approach. For every tool that needs to be run, it creates three things:\r\n1.  The auxiliary tool file\r\n2. \u003cfilename\u003e.bat file\r\n3. Cmd.exe with a schtasks.exe command to create a scheduled task to run the batch file above\r\nInstead of directly launching the auxiliary tool, it makes use of a scheduled task that runs the batch file that, in\r\nturn, executes the tool.\r\nThe attacker’s usage of a tool can be divided into two separate events: the dropping of the tool by the svchost.exe\r\nprocess that runs the malicious code and the execution of the tool via the scheduled task. \r\nhttps://www.trendmicro.com/en_us/research/21/a/xdr-investigation-uncovers-plugx-unique-technique-in-apt-attack.html\r\nPage 3 of 6\n\nFigure 3. A diagram showing the dropping of the auxiliary tool\r\nIf the creation of the tool, batch file, and scheduled task is disregarded, it would seem that there is no connection\r\nbetween PlugX and the execution of the auxiliary tool. However, a deeper investigation proved otherwise. \r\nFigure 4. Launching the auxiliary tool via the scheduled task\r\nScheduled tasks are usually associated with persistence or privilege escalation, which is not the case in this\r\nincident. Having the scheduled task run only once removes the notion of persistence. Meanwhile, having the same\r\nuser account launch the PlugX process and the auxiliary tool shows that the scheduled task is not for privilege\r\nhttps://www.trendmicro.com/en_us/research/21/a/xdr-investigation-uncovers-plugx-unique-technique-in-apt-attack.html\r\nPage 4 of 6\n\nescalation. One possible reason why the attacker chose this technique is to make analysis and forensics, such as\r\nvia EDR, more difficult.\r\nThe disjoint between the dropping and the execution of the auxiliary tool might cause problems in EDR's\r\nrendering of RCA graphs, specifically in providing important information about the attack. Security analysts will\r\nhave to rely on telemetry data to provide a more complete picture of said attack.\r\nIn this incident, the attacker used a specific tool to gather information kept by the organization. However, the\r\nattacker was able to delete it before we were able to get our hands on the tools used for investigation purposes. An\r\nanalysis of these tools could be used to better understand what is happening or what has happened in the\r\nenvironment. Whenever a tool is used, the attacker deletes it from the disk as soon as it has done its purpose –\r\nwhich usually does not last for more than 15 minutes. This means that acquiring the tools used would be more\r\ndifficult. For the attacker, immediately deleting the tool once it performs its intended purpose means being able to\r\nextend its shelf life.\r\nWhat enterprises and organizations should look out for\r\nIn incidents like this, wherein the attacker makes sure that the tools used are not detected, threat hunting is a good\r\nweapon to have for defense. Sifting through suspicious events and trying to piece them together to understand\r\nwhat has transpired could help identify such attacks.\r\nBased on our investigation of this specific attack, we provide helpful tips for enterprises and organizations to spot\r\nPlugX and lateral movement in their environments.  \r\nHow to identify PlugX\r\nPlugX’s use of a normal file makes it hard for antivirus (AV) or EPP to detect it. Threat hunters can use this to\r\npossibly identify other machines that have PlugX installed: Using attributes that could identify the normal file,\r\nsuch as the hash and the digital signer, a sweeping task could be carried out to identify instances of the normal file.\r\nChances are, the normal file that loads the rest of PlugX uses a file name that is different from what it normally\r\nuses or is in a location where it is not usually found. For example, Microsoft’s outlook.exe is usually found in the\r\nProgram Files directory. Finding a normal outlook.exe in the Windows directory makes it suspicious. Finding such\r\nentries that stand out could help identify how wide the infection is.\r\nHow to spot lateral movement\r\nIn this particular attack, we observed that to perform lateral movement, the attacker mapped Windows admin\r\nshares and used remotely created scheduled tasks to launch malware. Both events never or rarely happened in the\r\nvictim’s environment.\r\nThe importance of looking into anomalous events\r\nWhen identifying PlugX and lateral movement techniques utilized in attacks, it’s important to be able to determine\r\nanomalous events. It was relatively easy for us to flag the events related to the breach because they were\r\nanomalies; after looking into these anomalies, we were able to map them out to known techniques that attackers\r\npreviously used. Keeping an eye on anomalous events could help detect incidents earlier. In order to have\r\nhttps://www.trendmicro.com/en_us/research/21/a/xdr-investigation-uncovers-plugx-unique-technique-in-apt-attack.html\r\nPage 5 of 6\n\neffective visibility and correlation at all times, enterprises need to have an integrated view of all of their\r\ninterconnected security solutions. Automated protection and efficient threat hunting, investigation, and response,\r\nsuch as that provided by Trend Micro XDRservices, will help ensure that enterprises are secured from advanced\r\nthreats.\r\nTrend Micro Solutions\r\nTrend Micro’s comprehensive XDRservices solution applies the most effective expert analytics to the deep data\r\nsets collected from Trend Micro solutions across the enterprise — including email, endpoints, servers, cloud\r\nworkloads, and networks — making faster connections to identify and stop attacks. Powerful artificial intelligence\r\n(AI) and expert security analytics correlate data from customer environments and Trend Micro’s global threat\r\nintelligence to deliver fewer, higher-fidelity alerts, leading to better, early detection. One console with one source\r\nof prioritized, optimized alerts supported with guided investigation simplifies the steps needed to fully understand\r\nthe attack path and impact on the organization.\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/21/a/xdr-investigation-uncovers-plugx-unique-technique-in-apt-attack.html\r\nhttps://www.trendmicro.com/en_us/research/21/a/xdr-investigation-uncovers-plugx-unique-technique-in-apt-attack.html\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/21/a/xdr-investigation-uncovers-plugx-unique-technique-in-apt-attack.html"
	],
	"report_names": [
		"xdr-investigation-uncovers-plugx-unique-technique-in-apt-attack.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775433987,
	"ts_updated_at": 1775826707,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/766ade2464cac7d393f1d1164cb40ec725b78d6b.pdf",
		"text": "https://archive.orkl.eu/766ade2464cac7d393f1d1164cb40ec725b78d6b.txt",
		"img": "https://archive.orkl.eu/766ade2464cac7d393f1d1164cb40ec725b78d6b.jpg"
	}
}