{ "id": "0b9f7c83-032c-4806-b7c1-9ab10bbad2cb", "created_at": "2026-04-06T00:12:03.71346Z", "updated_at": "2026-04-10T03:36:33.825933Z", "deleted_at": null, "sha1_hash": "bb5145f5085fdff3b36b59741897749e6310a05b", "title": "THOR: Previously Unseen PlugX Variant Deployed During Microsoft Exchange Server Attacks by PKPLUG Group", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2398576, "plain_text": "THOR: Previously Unseen PlugX Variant Deployed During Microsoft\r\nExchange Server Attacks by PKPLUG Group\r\nBy Mike Harbison, Alex Hinchliffe\r\nPublished: 2021-07-27 · Archived: 2026-04-05 14:31:55 UTC\r\nExecutive Summary\r\nWhile monitoring the Microsoft Exchange Server attacks in March 2021, Unit 42 researchers identified a PlugX variant\r\ndelivered as a post-exploitation remote access tool (RAT) to one of the compromised servers. The variant observed by Unit\r\n42 is unique in that it contains a change to its core source code: the replacement of its trademark word “PLUG” to\r\n“THOR.” The earliest THOR sample uncovered was from August 2019, and it is the earliest known instance of the\r\nrebranded code. New features were observed in this variant, including enhanced payload-delivery mechanisms and abuse\r\nof trusted binaries.\r\nFirst discovered in 2008, PlugX is a second-stage implant that’s been used by Chinese cyberespionage group PKPLUG\r\n(aka Mustang Panda) and other groups. In addition to being used in multiple high-profile attacks over the years, including\r\nthe significant U.S. Government Office of Personnel Management (OPM) breach in 2015, PlugX is also known for its\r\nmodularity and plug-in-style approach to malware development.\r\nAdditional hunting and analysis led to the identification of several more samples along with an associated PlugX command\r\nand control (C2) infrastructure. This blog provides a technical overview of the PlugX variant discovered, indicators of\r\ncompromise (IOCs) to identify it in networks and a tool developed by Unit 42 to handle payload decryption.\r\nPalo Alto Networks customers are protected from PlugX with Cortex XDR or the Next-Generation Firewall with WildFire\r\nand Threat Prevention security subscriptions. AutoFocus users can track PlugX and PKPLUG activity using the PlugX and\r\nPKPLUG tags, respectively. Full visualization of the techniques observed and their relevant courses of action can be\r\nviewed in the Unit 42 ATOM Viewer.\r\nPlugX Delivery\r\nOn March 19, 2021, attackers were observed exploiting an Exchange Server via a chain of zero-days (CVE-2021-26855\r\nand CVE-2021-27065), known as ProxyLogon, originating from IP 101.36.120[.]227. Upon successful exploitation, a\r\nwebshell was uploaded to a publicly accessible web directory, allowing code execution at the highest privilege level.\r\nThe attackers then used a technique known as “living off the land,” which uses trusted binaries to bypass antivirus\r\ndetection. In this case, the Microsoft Windows binary bitsadmin.exe was used to download an innocuous file named\r\nAro.dat (SHA256: 59BA902871E98934C054649CA582E2A01707998ACC78B2570FEF43DBD10F7B6F) from an actor-controlled GitHub repo to the target. (See Figure 1 for the download command executed.)\r\nhttps://unit42.paloaltonetworks.com/thor-plugx-variant/\r\nPage 1 of 18\n\nFigure 1. Bitsadmin command example.\r\nAro.Dat: Overview\r\nThe first one thousand bytes of Aro.dat (see Figure 2) indicate the file might be encrypted or possibly compressed. As it\r\nturns out, this data is nothing but random padding data likely added as a file header to evade AV signatures to thwart\r\ndetection. The end of the filler data is null-terminated, which provides an identifier to the actual data entry point.\r\nImmediately following the NULL byte (0x00) is a set of x86 assembly instructions to unpack the file. In this sample, the\r\nx86 assembly starts at file offset 0x4EC with opcode 0x77. This translates to assembly mnemonic of JA (jump if above\r\nunsigned).\r\nFigure 2 illustrates the Aro.dat file header up until the NULL byte. The data was truncated for brevity, as the bytes up until\r\nthe NULL are meaningless. Red denotes the NULL byte, and green is where code execution begins.\r\n0000h: 49 79 7A 45 48 4C 4B 78 75 77 55 48 66 77 46 65 IyzEHLKxuwUHfwFe\r\n0010h: 6C 46 44 6D 6D 55 6E 42 50 47 76 63 70 75 68 50 lFDmmUnBPGvcpuhP\r\n0020h: 78 57 5A 67 45 48 62 66 4A 45 57 53 76 74 44 6E xWZgEHbfJEWSvtDn\r\n0030h: 75 61 75 72 56 4C 63 77 41 79 44 58 6A 72 6E 69 uaurVLcwAyDXjrni\r\n0040h: 6F 74 70 77 67 73 71 52 67 7A 4D 64 50 6D 46 6A otpwgsqRgzMdPmFj\r\n0050h: 5A 4E 64 6F 70 72 50 77 70 68 6C 42 6E 6E 56 43 ZNdoprPwphlBnnVC\r\n0060h: 79 6B 52 45 59 6B 75 50 61 75 63 56 54 55 73 51 ykREYkuPaucVTUsQ\r\n0070h: 68 73 41 4A 4E 7A 4F 49 61 51 75 4D 46 6C 54 42 hsAJNzOIaQuMFlTB\r\n0080h: 77 42 44 6B 4A 55 76 43 6C 51 47 68 46 66 69 56 wBDkJUvClQGhFfiV\r\n0090h: 66 62 6A 4C 46 77 78 41 68 50 67 44 46 6F 47 44 fbjLFwxAhPgDFoGD\r\n.\r\n.\r\n.\r\n.\r\n.\r\n04B0h: 37 35 38 37 35 35 30 39 37 38 32 36 39 30 33 36 7587550978269036\r\n04C0h: 39 39 33 32 33 32 36 38 39 36 33 30 35 35 39 30 9932326896305590\r\n04D0h: 37 35 35 35 37 39 35 32 39 38 30 32 33 35 38 33 7555795298023583\r\n04E0h: 30 36 32 37 36 36 30 32 35 37 36 00 77 06 81 EE 06276602576.w.\r\nFigure 2. Aro.dat file header\r\nhttps://unit42.paloaltonetworks.com/thor-plugx-variant/\r\nPage 2 of 18\n\nAro.dat is designed to remain undetected and cannot run without the aid of a specific loader. As with previous PlugX\r\nvariants, code execution is achieved via a technique known as DLL side loading. Static analysis reveals that once loaded\r\ninto memory, Aro.dat begins to unpack itself and initiates communication with a C2 server.\r\nAro.dat is, in fact, an encrypted and compressed PlugX payload. The decryption routine within Aro.dat closely resembles\r\nthat of older PlugX variants (see Figure 3 below) in that it involves multiple decryption keys and bit shift operations. Once\r\ndecrypted, it gets decompressed via the Windows API RtlDecompressBuffer into a Windows module (DLL). The\r\ncompression algorithm is LZ compression (COMPRESSION_FORMAT_LZNT1).\r\nFigure 3. Comparison of PlugX decryption routines\r\nThe highlighted entries shown in Figure 3 are the static decryption keys used by Aro.dat and an older 2012 PlugX sample\r\n(SHA256: A68CA9D35D26505A83C92202B0220F7BB8F615BC1E8D4E2266AADDB0DFE7BD15). The decryption\r\nroutine differs slightly with each PlugX build by using different static keys and varying the use of addition and subtraction.\r\nThe decrypted, decompressed Aro.dat is an x86 Windows DLL or PE file.\r\nAro.Dat: Code Execution\r\nThe Aro.dat file contains the following string names: aross.dll, aro.exe and aro.dat. The association of these three files\r\ntogether provides insight into how code execution is likely achieved. VirusTotal has the following files:\r\nAro.exe (SHA256: 18A98C2D905A1DA1D9D855E86866921E543F4BF8621FAEA05EB14D8E5B23B60C)\r\nAross.dll (SHA256: 9FFFB3894B008D5A54343CCF8395A47ACFE953394FFFE2C58550E444FF20EC47)\r\nOpen-source research suggests Aro.exe is part of the “ARO 2012 advanced repair and optimization tool.” It is a freely\r\navailable tool that claims to fix Windows registry errors. It is digitally signed, has known associations with a PlugX loader\r\nand dynamically loads Aross.dll. Aross.dll is the actor’s DLL file that is responsible for loading the encrypted payload file,\r\nAro.dat. With this information, we can infer that these two files are necessary and responsible for loading the encrypted\r\nTHOR payload, Aro.dat.\r\nSee Figure 4 for an illustration of how code execution is achieved.\r\nhttps://unit42.paloaltonetworks.com/thor-plugx-variant/\r\nPage 3 of 18\n\nFigure 4. DLL sideloading overview for Aro.dat\r\nAro.Dat: Runtime Operation\r\nOnce the decrypted payload runs in memory, it exhibits the same behaviors as previous PlugX implant variants. It starts by\r\ndecrypting the embedded PlugX hardcoded configuration settings. The decryption algorithm and XOR keys are fairly\r\nconsistent across multiple PlugX implants. Code behavior closely resembles that of the RedDelta PlugX that’s been\r\nreported by Insikt Group. One noticeable difference with this sample compared to all the other known PlugX malware\r\nfamilies is the magic number check performed during the initialization of the PlugX plugins. Historically, that number has\r\nalways been 0x504C5547, which corresponds to the PLUG value in ASCII encoding. In this sample, the magic number is\r\n0x54484F52, corresponding to the THOR value in ASCII encoding.\r\nFigure 5 below illustrates the differences.\r\nhttps://unit42.paloaltonetworks.com/thor-plugx-variant/\r\nPage 4 of 18\n\nFigure 5. DLL PlugX magic number comparison\r\nThe hardcoded PlugX configuration settings within the sample decoded to the following values (truncated):\r\nhttps://unit42.paloaltonetworks.com/thor-plugx-variant/\r\nPage 5 of 18\n\nFigure 6. Decrypted hardcoded configuration settings\r\nAs illustrated in Figure 6, this particular PlugX implant is configured for the following:\r\nhttps://unit42.paloaltonetworks.com/thor-plugx-variant/\r\nPage 6 of 18\n\nFour C2 domains of rainydaysweb[.]com\r\nCommunication with ports: 80, 443, 53 and 8000. Data is transmitted on both TCP and UDP protocols. Outputs\r\ndata transmitted to debug (outputdebugstringW) to debugger (if attached). Example:\r\nFigure 7. Debug output example\r\nUses the HTTP protocol. The initial handshake with the C2 is not HTTP, and it consists of random bytes of variable\r\nlengths. The implant expects 16 bytes of data for the return and, depending on the return value (command), will\r\ninitiate HTTP communication. The PlugX SxWorkProc thread is responsible for handling HTTP communications.\r\nAn example HTTP header:\r\nFigure 8. HTTP POST example\r\nBreakdown of Figure 8:\r\nPOST data is made of random bytes.\r\nUser-agent is a hardcoded value: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 10.0; .NET4.0C;\r\n.NET4.0E; Tablet PC 2.0).\r\nutmcn, utmcs, utmsr, and utmsc are hardcoded user-agent values.\r\n61456 is a known PlugX constant value.\r\nHTTP Header resembles that of RedDelta PlugX variant from Recorded Future page 11.\r\nTo create a Windows system service using the name and description: HP Digital Image\r\nhttps://unit42.paloaltonetworks.com/thor-plugx-variant/\r\nPage 7 of 18\n\nFigure 9. PlugX sample running as HP Digital Image\r\nPossible campaign ID of 1234\r\nWhen running, system events such as process creation, date and time and username are logged to a hidden file named\r\nNTUSER.DAT, located in the C:\\ProgramData\\MSDN\\6.0 directory. This file is encrypted with a two-byte key of 0x4F6F.\r\nThere are two other identifiable attributes for PlugX:\r\n1. The hidden Windows class name, Static, shown in Figure 10. This window is used for inner-process communications.\r\nFigure 10. PlugX Windows class name\r\n2. The MZ and PE headers of the RWX in-memory module are removed and replaced with ASCII ROHT (THOR\r\nbackwards), shown in Figure 11.\r\nhttps://unit42.paloaltonetworks.com/thor-plugx-variant/\r\nPage 8 of 18\n\nFigure 11. In-memory module artifact\r\nThis sample has the following PlugX plugins, which have an individual hardcoded date stamp, as illustrated in Table 1\r\nbelow. Much has been said about these plugins in the past. In summary, they provide attackers various capabilities to\r\nmonitor, update and interact with the compromised system to fulfil their objectives.\r\nPlugin Name Date Time Stamp Value\r\nDisk 0x20120325\r\nKeylog 0x20120324\r\nNetHood 0x20120213\r\nNetStat 0x20120215\r\nOption 0x20120128\r\nPortMap 0x20120325\r\nProcess 0x20120204\r\nRegEdit 0x20120315\r\nScreen 0x20120220\r\nService 0x20120117\r\nShell 0x20120305\r\nSQL 0x20120323\r\nTelnet 0x20120225\r\nTable 1. PlugX plugins\r\nThis sample also appears to contain a key or a hard-coded date of 20180209, which is used within a structure and passed\r\nwhenever a function object is called.\r\nLinks to PKPLUG\r\nPlugX modules, such as Aro.dat, include hardcoded configuration information allowing for multiple C2 addresses. This\r\nprovides fallback options for the backdoor in case some remote services are unavailable at the time of compromise. In this\r\nparticular PlugX implant (SHA256:\r\n59BA902871E98934C054649CA582E2A01707998ACC78B2570FEF43DBD10F7B6F), and as shown in Figure 6 above,\r\nall four C2 configuration options reference the domain name rainydaysweb[.]com.\r\nOverlaps between the recently discovered PlugX samples with the THOR magic bytes (the infrastructure) and other\r\nentities associated with known PKPLUG activity are highlighted in Figure 12 below, stemming from the orange rectangle\r\nhttps://unit42.paloaltonetworks.com/thor-plugx-variant/\r\nPage 9 of 18\n\nand the red square, respectively.\r\nAs previously mentioned, Aro.dat (SHA256:\r\n59BA902871E98934C054649CA582E2A01707998ACC78B2570FEF43DBD10F7B6F) was downloaded from an actor-controlled GitHub repository to the target Microsoft Exchange Server using bitsadmin. As such, the specific component\r\nresponsible for loading and decrypting the module is unknown. However, the connection from it to rainydaysweb[.]com is\r\nshown in the blue oval shape in Figure 12.\r\nFigure 12. Maltego chart highlighting THOR overlaps with existing PKPLUG infrastructure.\r\nSeveral overlaps of related infrastructure and common malicious behaviors were found and are described below using\r\nreference number notation [x] that references parts of Figure 12.\r\nPlugX sample (SHA256: 93D33626886E97ABF4087F5445B2A02738EA21D8624B3F015625CD646E9D986E)[1], first\r\nseen March 19, 2021, uses the traditional PLUG (not THOR) identifier and communicates with the same C2,\r\nrainydaysweb[.]com. This sample also shares some behavioral characteristics with other PlugX samples, namely registry\r\nactivity specific to the creation of the key, HKLM\\Software\\CLASSES\\ms-pu\\PROXY[2]. Some of those samples make\r\nuse of the C2 infrastructure linked to PKPLUG activity in the past, such as PlugX sample (SHA256:\r\nhttps://unit42.paloaltonetworks.com/thor-plugx-variant/\r\nPage 10 of 18\n\nA15FED60E69EC07BFD01A23BEEC2C8E9B14AD457EA052BA29BD7A7B806AB63B4)[3] from late 2020 using C2\r\nmanager2013[.]com.\r\nOther samples from the set using the common registry key, through the use of shared infrastructure, reveal further samples\r\ncontaining C2 communication information relating to the third-level domain, upload.ukbbcnews[.]com[4]. This domain is\r\nnot and has never been a legitimate BBC domain and was registered to appear as such to victims. This domain resolved to\r\nIPv4 address 45.248.87[.]217 up until April 12, 2021, providing the C2 channel for PlugX sample (SHA256:\r\n690C488A9902978F2EF05AA23D21F4FA30A52DD9D11191F9B49667CD08618D87)[5] with its THOR module\r\nmpsvc.ui (SHA256: 64E2FE0E9D52812D2DA956B1D92B51E7C215E579241649316CF996F9721E466E) from early\r\nAugust 2020.\r\nOther \"ukbbcnews\" third-level domains (i.e. bbc., news. and www.)existed and resolved to the same 45.248.87[.]217 IPv4\r\naddress from as far back as May 2019 through March 2021. In 2018, the same third-level domains resolved to some IPv4\r\naddresses in the 134835 ASN range, including 185.239.226[.]65, 185.239.226[.]76 and 185.239.226[.]14, which have been\r\nused as C2 channels for various PlugX samples, seemingly throughout 2018, 2019 and 2020. PlugX sample (SHA256:\r\n3CDD33DEA12F21A4F222EB060E1E8CA8A20D5F6CA0FD849715F125B973F3A257)[6] from June 2018 shares\r\nbehavioral traits, namely setting the value of registry key HKLM\\SOFTWARE\\Classes\\KET.FAST\\CLSID[7] to -1, with\r\ntwo other PlugX samples over the last three years.\r\nOut of the set of three such PlugX samples known to Unit 42 that changed the value of that registry key, one sample\r\n(SHA256: A9511CDAA96ED59DE73A7A7C7DC375DE204BEE7A9511C5EE71BF013010324A91)[8] existed around\r\nthe same timeframe (June 2018) using the domain tibetsl[.]com and many third-level domains from it for C2\r\ncommunication. The third PlugX sample, (SHA256:\r\n80DEED939A520696968335D1BB2A9FCCE7053C0156F679BA261824D0A2D44967)[9], from the set also used the\r\nTHOR identifier. From November 2019, this sample and its configuration module aross.dat (SHA256:\r\nC5DCD3073904FAD5D9A8FE1026141A832E05C9CA03A88FEE96587921F42773D4) used 108.61.182[.]34 for its C2\r\ncommunication, which resolved to the indonesiaport[.]info[10] domain between September 2019 and February 2020. The\r\nsame domain has been used for C2 communications by several other PlugX samples (using the PLUG identifier) that Unit\r\n42 tracks as related to PKPLUG, dating as far back as August 2017.\r\nAnother configuration module using the THOR identifier, acrobat.chm (SHA256:\r\nB5C0DB62184325FFBE2B8EF7E6F13F5D5926DEAC331EF6D542C5FA50144E0280)[11] loaded by PlugX sample\r\nAcrobat.dll (SHA256: 3C5E2A4AFE58634F45C48F4E800DC56BAE3907DDE308FF97740E9CD5684D1C53) was first\r\nseen at the end of October 2020. The C2 channel from the configuration is tools.scbbgroup[.]com, which at the time\r\nresolved to 167.88.180[.]131, and since early February 2021, it continues to resolve to 103.85.24[.]158 under the ASNs\r\n6134 and 134835, respectively[12]. Other known PKPLUG infrastructure using additional IP addresses from the range\r\nunder both ASNs are tracked by Unit 42 and other vendors.\r\nExamples include www.ixiaoyver[.]com and www.systeminfor[.]com that resolved in April and May 2020 respectively to\r\n103.85.24[.]190, which acted as C2 channels for several PlugX samples (using the PLUG identifier).\r\nShortly after the brief, two-day period when www.systeminfor[.]com resolved to 103.85.24[.]190, the resolution briefly\r\nchanged to 167.88.180[.]32 (ASN 6134), which other PKPLUG-related domains resolved to throughout the course of\r\n2020. One such domain was www.cabsecnow[.]com, which was used as a C2 channel for another PlugX sample (SHA256:\r\nA9CBCE007A7467BA1394EED32B9C1774AD09A9A9FB74EB2CCC584749273FAC01)[13] and configuration module\r\nSmadav.dat (SHA256: E2D21B5E34189FA1ACA39A13A405C792B19B6EDF020907FB9840AF1AAFBAA2F4) using\r\nthe THOR magic bytes in August 2020.\r\nhttps://unit42.paloaltonetworks.com/thor-plugx-variant/\r\nPage 11 of 18\n\nThe final PlugX sample using the THOR identifier [14] is SmadHook32.dll (SHA256:\r\n125FDF108DC1AD6F572CBDDE74B0C7FA938A9ADCE0CC80CB5CE00F1C030B0C93) and its configuration module\r\nSmadav.dat (SHA256: CC1AFB373F8286C08869CD786FEE75B8002DF595586E00255F52892016FD7A4F) is the most\r\nrecent THOR sample Unit 42 has discovered. First seen in March 2021, this sample's C2 references news.cqpeizi[.]com,\r\nwhich since late 2019 resolves to the loopback address 127.0.0[.]1.\r\nPlugX: The Hunt for Others\r\nWith an understanding of how the encrypted payload files are constructed, Unit 42 researchers created a signature based on\r\nthe x86 assembly instructions. These instructions are used to unpack the payload. (See Table 2 for a list of files\r\ndiscovered.)\r\nDuring our research, we discovered other PlugX-encrypted payloads that have a different encoding scheme and file header.\r\nThese samples are XOR encoded with the decryption key consisting of the bytes starting at file offset zero, up until the\r\nNULL byte. Typically, the key is 10 bytes in length. Once decrypted, the sample is that of a PE file (DLL). (Reference\r\nTable 3 for a list of files uncovered that follow this format.)\r\nWe’ve identified two other PlugX-encrypted payload files with different encoding schemes. These files were manually\r\ndecrypted and confirmed to be PlugX variants. (See Table 4.)\r\nUnit 42 PlugX Payload Decrypter\r\nUnit 42 created a Python script that can decrypt and unpack encrypted PlugX payloads without having the associated\r\nPlugX loaders. It attempts to detect the type of PlugX-encrypted samples and then outputs the following:\r\n1. Decrypted and decompressed PlugX module (DLL). Adds an MZ header to the file as the MZ header is not present\r\nin the in-memory module. It only applies to encrypted payloads that have the random byte header (THOR\r\npayloads).\r\n2. Hardcoded PlugX configuration file (C2 information), if supported.\r\nExample of the tool in action:\r\nThe decryptor tool is hosted on Unit 42’s public tools GitHub repository.\r\nhttps://unit42.paloaltonetworks.com/thor-plugx-variant/\r\nPage 12 of 18\n\nConclusion\r\nThirteen years after its initial discovery, the PlugX malware family remains a threat. After 10+ years of consistent source\r\ncode components, the developers made an unexpected change to its signature magic value from “PLUG” to “THOR.” New\r\nfeatures were observed in this variant, including enhanced payload delivery mechanisms and abuse of trusted binaries.\r\nWith the THOR identifier signature, Unit 42 will continue to search for additional samples and variants that may be\r\nassociated with this new PlugX variant.\r\nPalo Alto Networks customers are protected from PlugX with Cortex XDR or the Next-Generation Firewall with WildFire\r\nand Threat Prevention security subscriptions. AutoFocus users can track PlugX and PKPLUG activity using the PlugX and\r\nPKPLUG tags, respectively.\r\nPalo Alto Networks has shared our findings, including file samples and indicators of compromise, in this report with our\r\nfellow Cyber Threat Alliance members. CTA members use this intelligence to rapidly deploy protections to their customers\r\nand systematically disrupt malicious cyber actors. Visit the Cyber Threat Alliance for more information\r\nAdditional Resources\r\nPKPLUG: Chinese Cyber Espionage Group Attacking Southeast Asia\r\nIndicators of Compromise\r\nPlugX Encrypted Payloads Containing THOR Magic Bytes\r\nSHA256 File Name\r\nFirst\r\nSeen\r\nb3c735d3e8c4fa91ca3e1067b19f54f00e94e79b211bec8dc4c044d93c119635 pdvdlib.dat\r\n04-\r\n16-\r\n2021\r\n59BA902871E98934C054649CA582E2A01707998ACC78B2570FEF43DBD10F7B6F aro.dat\r\n03-\r\n29-\r\n2021\r\n67E626B7304A0B14E84EC587622EE07DC0D6ECAC5A2FD08E8A2B4EDD432D2EBC pdvdlib.dat\r\n03-\r\n19-\r\n2021\r\nCC1AFB373F8286C08869CD786FEE75B8002DF595586E00255F52892016FD7A4F Smadav.dat\r\n03-\r\n18-\r\n2021\r\nC28D0D36F5860F80492D435DF5D7D1C6258C6D7FC92076867DB89BC5BD579709 Samsunghelp.chm\r\n02-\r\n22-\r\n2021\r\nhttps://unit42.paloaltonetworks.com/thor-plugx-variant/\r\nPage 13 of 18\n\n3d9d004e82553f0596764f858345dcc7d2baee875fd644fa573a37e0904bde88 ldvpsvc.hlp\r\n11-\r\n29-\r\n2020\r\nb5c0db62184325ffbe2b8ef7e6f13f5d5926deac331ef6d542c5fa50144e0280 acrobat.chm\r\n10-\r\n29-\r\n2020\r\ne2d21b5e34189fa1aca39a13a405c792b19b6edf020907fb9840af1aafbaa2f4 Smadav.dat\r\n08-\r\n13-\r\n2020\r\n89D36FE8B1ED5F937C43CB18569220F982F7FCCAA17EC57A35D53F36A5D13CD6 mpsvc.ui\r\n08-\r\n04-\r\n2020\r\n64e2fe0e9d52812d2da956b1d92b51e7c215e579241649316cf996f9721e466e mpsvc.ui\r\n08-\r\n03-\r\n2020\r\nA2F15D3305958A361E31887E0613C6D476169DB65C72BE4E36721AD556E6FA01 ui.mdb\r\n06-\r\n11-\r\n2020\r\nC5DCD3073904FAD5D9A8FE1026141A832E05C9CA03A88FEE96587921F42773D4 aross.dat\r\n11-\r\n28-\r\n2019\r\nTable 2. PlugX-encrypted payloads containing THOR magic bytes\r\nPlugX Loaders Using THOR Payloads\r\nSHA256 File Name\r\n9FFFB3894B008D5A54343CCF8395A47ACFE953394FFFE2C58550E444FF20EC47 Aross.dll\r\n125fdf108dc1ad6f572cbdde74b0c7fa938a9adce0cc80cb5ce00f1c030b0c93 SmadHook32.dll\r\n80deed939a520696968335d1bb2a9fcce7053c0156f679ba261824d0a2d44967\r\nEndPoint Network\r\nAgent.exe\r\n3c5e2a4afe58634f45c48f4e800dc56bae3907dde308ff97740e9cd5684d1c53 acrobat.dll\r\na9cbce007a7467ba1394eed32b9c1774ad09a9a9fb74eb2ccc584749273fac01 smadhook32.dll\r\n690c488a9902978f2ef05aa23d21f4fa30a52dd9d11191f9b49667cd08618d87 mpsvc.dll\r\nTable 3. PlugX loaders using THOR payloads\r\nPlugX Encrypted Payloads: XOR Header\r\nhttps://unit42.paloaltonetworks.com/thor-plugx-variant/\r\nPage 14 of 18\n\nSHA256 File Name\r\n0510e5415689ee5111c5f6ef960a58d0d037864ceaad8f66d57d752a1c1126f4 mp.dat\r\n055b44336e0d3de5f2a9432dce476ee18c2824dda6fda37613d871f0f4295cd5 UNKNOWN\r\n1833943858e3d7fe1cec0459090f7f3b2bc2d80c774abc4b45b52529a3011e85 AvastAuth.dat\r\n1848c8eb7c18214398dfc1a64a1ab16aced8cc26ed14453045730c2491166f25 UNKNOWN\r\n35a46bdd2f1788fe2a66b1adfe1b21361ebfc3fb597e932e6a0094422637fa48 UNKNOWN\r\n38914419eaf8f3b68fd84f576b6657a68aa894b49bc6d7aa4c52adc4027912c8 UNKNOWN\r\n3b1a08ea826921fe12515afa96f2596bca098465c27bb950808b0887f2e2ed84 UNKNOWN\r\n3e8e8c2951edd51b3a97b3fc996060ba63ebdaaffa8adfbd374b3693c0e97aee adobeupdate.dat\r\n3fbbf30015b64b50912c09c43052ac48b1983e869cebfb88dd1271fcb4e60d10 http_dll.dat\r\n432a07eb49473fa8c71d50ccaf2bc980b692d458ec4aaedd52d739cb377f3428 UNKNOWN\r\n4c8405e1c6531bcb95e863d0165a589ea31f1e623c00bcfd02fbf4f434c2da79 adobeupdate.dat\r\n56e9b0c2b87d45ee0c109fb71d436621c7ada007f1bd3d43c3e8cf89c0182b90 adobeupdate.dat\r\n5b16347c180c8a2e25033ec31ac8728e72a0812b01ea7a312cbb341c6c927d06 UNKNOWN\r\n5eaaf8ac2d358c2d7065884b7994638fee3987f02474e54467f14b010a18d028 AvastAuth.dat\r\n6097cc6d6fdd5304029ccedfd3ef49f0656bcf1c60d769b3344dc5129fcb6224 AvastAuth.dat\r\n6a94b9a22bcdadb69e8ae21af2819b0c891896564660049d7e21d5c3053a8d43 UNKNOWN\r\n70457e0cc1b5be30a8774a2528724bc8041969b2c7dca22b64775a4fba3d5501 AvastAuth.dat\r\n776a7e29e3d1288fbbbc11057b800dc4559e4f2b77b827757779213b0d49c22b UNKNOWN\r\n83eb4e75c332667cdd87c0d61fb00917020329a089dc9294b3dfc172d3299f1d adobeupdate.dat\r\n8b8adc6c14ed3bbeacd9f39c4d1380835eaf090090f6f826341a018d6b2ad450 UNKNOWN\r\n8ec409c1537e3030405bc8f8353d2605d1e88f1b245554383682f3aa8b5100ec UNKNOWN\r\n9f0f962ae8dc444d3774d3f3a72421c2c01ee09d2234378df99c19205362d6fc adobeupdate.dat\r\n9f7a911ba583205775b0005a6ce8783fbec50bc91bc747546b0e0ddf386155a0 AvastAuth.dat\r\nab6a11effc5442c220d099385b4790b114c9cb795f484a30fba86f5c626abc26 UNKNOWN\r\naf4844c867ecb3105e92fe4fa6836c5fd463dac1c1e12233b4fb00b00d4ee719 UNKNOWN\r\naf70349513573ef003ca13b88dd6858f843b29525b9e053c89f8508866a1acb0 http_dll.dat\r\nafa06df5a2c33dc0bdf80bbe09dade421b3e8b5990a56246e0d7053d5668d917 UNKNOWN\r\nhttps://unit42.paloaltonetworks.com/thor-plugx-variant/\r\nPage 15 of 18\n\nbda6f53d37e51385ed739ab51055420254defafff0db669aa55229e0eda9fc66 adobeupdate.dat\r\nd1f848a8477f171430b339acc4d0113660907705d85fa8ea4fbd9bf4ae20a116 UNKNOWN\r\nd634759a262dc423aa5bb95c3046886516ad60b83197c695d07ab4fce960132b UNKNOWN\r\nd69d200513a173aff3a4b2474ccc11812115c38a5f27f7aafe98b813c3121208 adobeupdate.dat\r\nd8882948a7fe4b16fb4b7c16427fbdcf0f0ab8ff3c4bac34f69b0a7d4718183e adobeupdate.dat\r\ndc42d5d3c7c166a54dffec9e7c36b10a0735432948f7c333b306e27bfbef336c jkljk'kle\r\ne1c85ede49a2017e103aa13dfbbf9f7400d3520ee4d6a394ebb0e035c1e016bc UNKNOWN\r\ne74182800eb247a9e0dfb7e6274dec2839571b650143bcd30423abe10f8daac4 main.dat\r\ne84f77210840bc508df1c695de01f3a45715f5a02a20e94237f1c0a39c551666 AvastAuth.dat\r\nf0f2ff31b869fdb9f2ef67bfb0cc7840f098a37b6b21e6eb4983134448e3d208 adobeupdate.0dat\r\nf51ee36cdb86b210a91db98d85ae64acdb5b091a7899b7569955a6b25b65d6b6 UNKNOWN\r\nf7a7eca072cb07af2a769bff4729478a9ec714c59e3c1c25410184014ccee18e main.dat\r\nE4C94CC2E53BEB61184F587936EE8134E3ED81872D6EE763CAC20557A5F1077C adobeupdate.dat\r\n265E1FAB92C2AA97FA8D5587E6378DBEE024BC3FC23458DF95E97354C6B4235E loggerupdate.dat\r\nE8ADA4BC075B6CA47C11C5C747D0F49702323AD13D87BF9459D12F4961CF169E http_dll.dat\r\nf224f513c1bad901bf05c719003b1e605543d2a32cfe5aa580f77a63ec882c4c http_dll.dat\r\n589e87d4ac0a2c350e98642ac53f4940fcfec38226c16509da21bb551a8f8a36 adobeupdate.dat\r\nde0f65a421ce8ee4a927f4f9228f29ff12be69ac71edecb18c35cb5101e4c3cf UNKNOWN\r\n0246BAE3D010D2ADD808ECC97D8BF8B68F20301BD99F5CEF85503894E3AD75CC adobeupdate.dat\r\nTable 4. PlugX-encrypted payloads: XOR header\r\nPlugX-Encrypted Payloads: Unknown Encryption\r\nSHA-256 File Name\r\n2194B0E5ED25E31749CB8EA9685951CA47D67210DC7A8116807928DEA4DC2B44 ACLUI.DLL.UI\r\n5c60bee8f311b67d453d793c230399c05693eaab69a4b932bf271f2ac18a74cb ACLUI.DLL.UI\r\nTable 5. PlugX-encrypted payloads: Unknown encryption\r\nPlugX Loaders Using PLUG Payloads\r\nSHA-256 File Name\r\nhttps://unit42.paloaltonetworks.com/thor-plugx-variant/\r\nPage 16 of 18\n\n282eef984c20cc334f926725cc36ab610b00d05b5990c7f55c324791ab156d92 zVIm1lVT.exe\r\n7deb52227f6e08441b2695d0c783a380ebc771ca1fa4dcec96283d41a4ff7905 WEXTRACT.EXE\r\nf949b78b040cbfc95aafb50ef30ac3e8c16771c6b926b6f8f1efe44a1f437d51 AcroRd32DQe.exe\r\n8a07c265a20279d4b60da2cc26f2bb041730c90c6d3eca64a8dd9f4a032d85d3 acrord32.dll\r\n3a53bd36b24bc40bdce289d26f1b6965c0a5e71f26b05d19c7aa73d9e3cfa6ff lgNdgPd3.exe\r\nd64afd9799d8de3f39a4ce99584fa67a615a667945532cfa3f702adbe27724c4 AAM UpdatesHtA.exe\r\n75ad7745e2b81cb5ffc6d1e267b6c06f56f260452edf09ef4d6fd3ecad584e66 csKMR5Bh.exe\r\n033c3a372d4d780faa14648c7de93a87d4584afd547609795fb7e9ba370912eb WEXTRACT.EXE\r\n26f814e4db5aee02451a628e0b16f945c6141d201cc1c8e63395d4e29e1baa64 WEXTRACT.EXE\r\n93d33626886e97abf4087f5445b2a02738ea21d8624b3f015625cd646e9d986e unknown\r\n769863ec7ba1e28a77c7cc0bda19bb79e6869cae63ecdfab97c669fc40348a0c install_flash_player.exe\r\n792eba5ba91a52bfb3b369107f38fb9a7e7b7987cd870f465338eae59e81f3f6 avg.exe\r\n9699c3f5dd99345b04aaf5e7dc5002de7dbabf922e43125a10eb3f5fc574e51e 7Po6BzAx.exe\r\na9511cdaa96ed59de73a7a7c7dc375de204bee7a9511c5ee71bf013010324a91 mcinsupd.exe\r\naf6cb7f9aaa2e1cff577888164f689c4bdb62490bd78915595d7fdd6462d09c4 hex.dll\r\n3cdd33dea12f21a4f222eb060e1e8ca8a20d5f6ca0fd849715f125b973f3a257 web.dll\r\nTable 6. PlugX loaders using PLUG payloads\r\nCommand and Control Indicators of Compromise\r\nPlugX (THOR magic bytes) related to Microsoft Exchange Vulnerability\r\nrainydaysweb[.]com\r\n154.211.14[.]156\r\nOther PlugX (THOR magic bytes)\r\nupload.ukbbcnews[.]com\r\nindonesiaport[.]info\r\ntools.scbbgroup[.]com\r\nwww.cabsecnow[.]com\r\nnews.cqpeizi[.]com\r\n45.248.87[.]217\r\n103.85.24[.]158\r\n167.88.180[.]131\r\n167.88.180[.]32\r\n108.61.182[.]34\r\nhttps://unit42.paloaltonetworks.com/thor-plugx-variant/\r\nPage 17 of 18\n\nOther PlugX (PLUG magic bytes):\r\nweb.flashplayerup[.]com\r\ndownloads.flashplayerup[.]com\r\nhelp.flashplayerup[.]com\r\nindex.flashplayerup[.]com\r\nwww.destroy2013[.]com\r\nwww.fitehook[.]com\r\nwww.manager2013[.]com\r\nwww.mmfhlele[.]com\r\ndetail.misecure[.]com\r\nwww.quochoice[.]com\r\nwww.systeminfor[.]com\r\nwww.emicrosoftinterview[.]com\r\ndown.emicrosoftinterview[.]com\r\nnews.petalossccaf[.]com\r\nwww.msdntoolkit[.]com\r\nwww.apple-net[.]com\r\nhdviet.tv-vn[.]com\r\n103.56.53[.]106\r\n185.239.226[.]65\r\n103.192.226[.]100\r\n45.248.87[.]140\r\n45.142.166[.]112\r\n103.107.104[.]38\r\n42.99.117[.]92\r\n45.251.240[.]55\r\n103.56.53[.]46\r\n154.223.150[.]105\r\n45.248.87[.]162\r\n103.200.97[.]150\r\n42.99.117[.]95\r\n43.254.217[.]165\r\n45.248.87[.]217\r\nAttack Staging\r\nraw.githubusercontent[.]com/tellyou123\r\nSource: https://unit42.paloaltonetworks.com/thor-plugx-variant/\r\nhttps://unit42.paloaltonetworks.com/thor-plugx-variant/\r\nPage 18 of 18", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://unit42.paloaltonetworks.com/thor-plugx-variant/" ], "report_names": [ "thor-plugx-variant" ], "threat_actors": [ { "id": "93542ae8-73cb-482b-90a3-445a20663f15", "created_at": "2022-10-25T16:07:24.058412Z", "updated_at": "2026-04-10T02:00:04.853499Z", "deleted_at": null, "main_name": "PKPLUG", "aliases": [ "Stately Taurus" ], "source_name": "ETDA:PKPLUG", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "aa90ad17-8852-4732-9dba-72ffb64db493", "created_at": "2023-07-11T02:00:10.067957Z", "updated_at": "2026-04-10T02:00:03.367801Z", "deleted_at": null, "main_name": "RedDelta", "aliases": [], "source_name": "MISPGALAXY:RedDelta", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "b5449533-0ff1-4048-999d-7d4bfd8e6da6", "created_at": "2022-10-25T16:07:24.114365Z", "updated_at": "2026-04-10T02:00:04.869887Z", "deleted_at": null, "main_name": "RedDelta", "aliases": [ "Operation Dianxun", "TA416" ], "source_name": "ETDA:RedDelta", "tools": [ "Agent.dhwf", "Agentemis", "Chymine", "Cobalt Strike", "CobaltStrike", "Darkmoon", "Destroy RAT", "DestroyRAT", "Gen:Trojan.Heur.PT", "Kaba", "Korplug", "PlugX", "Poison Ivy", "RedDelta", "SPIVY", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Xamtrav", "cobeacon", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434323, "ts_updated_at": 1775792193, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/bb5145f5085fdff3b36b59741897749e6310a05b.pdf", "text": "https://archive.orkl.eu/bb5145f5085fdff3b36b59741897749e6310a05b.txt", "img": "https://archive.orkl.eu/bb5145f5085fdff3b36b59741897749e6310a05b.jpg" } }