{
	"id": "2bb47dc3-80d0-48b4-a7ff-fb3cf18414a5",
	"created_at": "2026-04-06T01:31:36.933534Z",
	"updated_at": "2026-04-10T03:21:35.070301Z",
	"deleted_at": null,
	"sha1_hash": "e05cd0cb9e0c88b8d43e346a6a3b293f983cf2dd",
	"title": "Investigating the PlugX Trojan Disguised as a Legitimate Windows Debugger Tool",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1053858,
	"plain_text": "Investigating the PlugX Trojan Disguised as a Legitimate Windows\r\nDebugger Tool\r\nBy Buddy Tancio, Jed Valderama ( words)\r\nPublished: 2023-02-24 · Archived: 2026-04-06 01:12:18 UTC\r\nMalware\r\nTrend Micro’s Managed Extended Detection and Response (MxDR) team discovered that a file called x32dbg.exe was used\r\nto sideload a malicious DLL we identified as a variant of PlugX.\r\nBy: Buddy Tancio, Jed Valderama Feb 24, 2023 Read time: 8 min (2050 words)\r\nSave to Folio\r\nIntroduction\r\nTrend Micro’s Managed Extended Detection and Response (MxDR) team discovered that a file called x32dbg.exe was used\r\n(via the DLL Search Order Hijacking or T1574.001 technique) to sideload a malicious DLL we identified as a variant of\r\nPlugX (Trojan.Win32.KORPLUG.AJ.enc). This file is a legitimate open-source debugger tool for Windows that is generally\r\nused to examine kernel-mode and user-mode code, crash dumps, or CPU registers. Meanwhile, PlugX is a well-known\r\nremote access trojan (RAT) that is used to gain remote access to and control over compromised machines. It allows an\r\nattacker to obtain unauthorized access to a system, steal sensitive data, and use the compromised machine for malicious\r\npurposes. The MxDR team employed a number of advanced security technologies and solutions to gain a comprehensive\r\nunderstanding of the attack, which will be revealed in this report.\r\nInvestigating and analyzing the threat with MxDR\r\nBeing a legitimate application, x32dbg.exe’s valid digital signature can confuse some security tools, enabling threat actors to\r\nfly under the radar, maintain persistence, escalate privileges, and bypass file execution restrictions.\r\n open on a new tab\r\nhttps://www.trendmicro.com/en_us/research/23/b/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows.html\r\nPage 1 of 10\n\nFigure 1. A digitally signed x32dbg.exe\r\n(ec5cf913773459da0fd30bb282fb0144b85717aa6ce660e81a0bad24a2f23e15)\r\nThe team's attention was first drawn to the command line execution of D:\\RECYCLER.BIN\\files\\x32dbg.exe which was\r\nflagged by a VisionOne Workbench alert. Further investigation revealed that this path led to a hidden folder on the USB\r\nstorage device, which was found to contain a number of threat components.\r\nWe uncovered a clear sequence of events that began with a suspicious command line execution launched via cmd.exe. The\r\ncommand line executed the file (ec5cf913773459da0fd30bb282fb0144b85717aa6ce660e81a0bad24a2f23e15 ) located at\r\nD:\\RECYCLER.BIN\\files\\x32dbg.exe. The file was signed by  ”OpenSource Developer, Duncan Ogilvie” issued by Certum\r\nCode Signing. A visual representation of these events is displayed in Figure 3.\r\nCommand Line: \"C:\\Windows\\System32\\cmd.exe\" /q /c \"\\ \\RECYCLER.BIN\\files\\x32dbg.exe\"\r\nFile Path: \"D:\\ \\ \\RECYCLER.BIN\\files\\x32dbg.exe\"\r\nSHA256: ec5cf913773459da0fd30bb282fb0144b85717aa6ce660e81a0bad24a2f23e15\r\nSigner: Open-Source Developer, Duncan Ogilvie\r\nopen on a new tab\r\nFigure 3. Vision One shows how cmd.exe calls x32dbg.exe from the external/non-system drive\r\nAfter executing D:\\RECYCLER.BIN\\files\\x32dbg.exe, all of the threat components are copied to the directory\r\nC:\\ProgramData\\UsersDate\\Windows_NT\\Windows\\User\\Desktop.\r\nSubsequently, the file C:\\ProgramData\\UsersDate\\Windows_NT\\Windows\\User\\Desktop\\x32dbg.exe, a duplicate of the\r\noriginal file, was invoked. The following command line was used to invoke the dropped file:\r\nCommand Line: \"C:\\Windows\\System32\\cmd.exe\" /q /c\"\r\nC:\\ProgramData\\UsersDate\\Windows_NT\\Windows\\User\\Desktop//x32dbg.exe”\r\nhttps://www.trendmicro.com/en_us/research/23/b/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows.html\r\nPage 2 of 10\n\nopen on a new tab\r\nFigure 4. Files created in C:\\ProgramData\\UsersDate\\Windows_NT\\Windows\\User\\Desktop\r\nopen on a new tab\r\nFigure 6. Vision Ones shows how x32dbg.exe copies itself to various directories and renames itself as\r\nMediae.exe\r\nC:\\Users\\Public\\Public Mediae\\Mediae.exe followed the same procedure, creating a new directory at\r\nC:\\Users\u003cusername\u003e\\Users\\ and copying the identical files as shown in Figure 7.\r\nhttps://www.trendmicro.com/en_us/research/23/b/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows.html\r\nPage 3 of 10\n\nopen on a new tab\r\nFigure 7. The same set of files were created in C:\\Users\\\u003cusername\u003e\\Users\\\r\nAs a result, a full set of the same files were present in three different directories. This indicated a clear attempt to establish\r\npersistence and evade detection by placing copies of the malicious files in multiple locations in the compromised system,\r\nspecifically:\r\nC:\\ProgramData\\UsersDate\\Windows_NT\\Windows\\User\\Desktop\r\nC:\\Users\\Public\\Public Mediae\\\r\nC:\\Users\\\u003cusername\u003e\\Users\\\r\nAnalyzing persistence: how the attacker maintained access\r\nTo ensure continued access to the compromised systems, attacker used techniques involving the installation of persistence in\r\nthe registry, the creation of scheduled tasks to maintain access (even in case of system restarts), the implementation of\r\nchanges in credentials, and other potential disruptions that could result in lost access.\r\nopen on a new tab\r\nhttps://www.trendmicro.com/en_us/research/23/b/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows.html\r\nPage 4 of 10\n\nFigure 8. Persistence was created in the scheduled task and run registry\r\nWe noticed the creation of a scheduled task via the schtasks command line utility to run a task at a specific time. In this case,\r\nthe scheduled task is set to execute the x32dbg.exe file, the open source debugger tool that side loads PlugX, every five\r\nminutes. The task is disguised under the name \"LKUFORYOU_1\" to make it more difficult to detect.\r\nCommandline: schtasks  /create /sc minute /mo 5  /tn  LKUFORYOU_1  /tr\r\nC:\\ProgramData\\UsersDate\\Windows_NT\\Windows\\User\\Desktop\\x32dbg.exe    /f\r\nA brief summary of the parameters used:\r\n/create: This option instructs the utility to create a new scheduled task.\r\n/sc minute: This option specifies the frequency at which the task will be executed, which in this case is every five\r\nminutes.\r\n/mo 5: This option sets the duration of the frequency for the scheduled task.\r\n/tn LKUFORYOU_1: This option sets the name of the task as \"LKUFORYOU_1\".\r\n/tr C:\\ProgramData\\UsersDate\\Windows_NT\\Windows\\User\\Desktop\\x32dbg.exe: This option specifies the path of\r\nthe executable that will be executed when the task is triggered.\r\n/f: This option forces the task to be created without requiring user confirmation.\r\nopen on a new tab\r\nFigure 9. The schtask utility was used to create persistence in the scheduled task\r\nFurther evidence supporting the persistence created by the scheduled task was discovered in the event logs via Event ID 100,\r\nwhich clearly showed the successful execution of the file (depicted in Figure 10).\r\nFigure 11 depicts where run registry keys were installed for persistence, and the data associated with them. These registry\r\nkeys and values enable the threat to maintain persistence by automatically executing the x32dbg.exe file every time the user\r\nlogs in.\r\nRegistry Key: HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\nRegistry Value Name: x32dbg\r\nhttps://www.trendmicro.com/en_us/research/23/b/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows.html\r\nPage 5 of 10\n\nRegistry Value Data: C:\\ProgramData\\UsersDate\\Windows_NT\\Windows\\User\\Desktop\\x32dbg.exe\r\n open on a\r\nnew tab\r\nFigure 11. Persistence in the run registry (this image came from ESX testing)\r\nHiding in plain sight: DLL sideloading with x32dbg.exe\r\nWe observed x32dbge.exe being used to sideload the PlugX file x32bridge.dll\r\n(0490ceace858ff7949b90ab4acf4867878815d2557089c179c9971b2dd0918b9, detected as Trojan.Win32.KORPLUG.AJ).\r\nSideloading can take advantage of the loader's DLL search order by placing the malicious payload(s) and victim program\r\nside by side. This process is likely used by malicious actors as a cover for operations carried out within a trusted, legitimate,\r\nand maybe elevated system or software process.\r\nhttps://www.trendmicro.com/en_us/research/23/b/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows.html\r\nPage 6 of 10\n\nopen on a new\r\ntab\r\nFigure 12. x32dbge.exe sideloaded Plug X file x32bridge.dll (Trojan.Win32.KORPLUG.AJ)\r\nWe observed that the file akm.dat (0e9071714a4af0be1f96cffc3b0e58520b827d9e58297cb0e02d97551eca3799, detected as\r\nTrojan.Win32.KROPLUG.AJ) was also registered and executed via rundll32, a Windows component which attackers can\r\nabuse to facilitate the execution of malicious code. By using rundll32.exe to execute the file, the attackers can prevent\r\nsecurity tools from monitoring this activity.\r\nrundll32 SHELL32.DLL, ShellExec_RunDLL rundll32\r\nC:\\ProgramData\\UsersDate\\Windows_NT\\Windows\\User\\Desktop\\akm.dat,Start\r\nUnveiling the tactics used: An in-depth analysis of the threat\r\nThrough reverse engineering, we were able to gain a deep understanding of how the threat operates. By analyzing the tactics\r\nand techniques used by the attacker, we can identify and prevent similar attacks in the future.\r\nOur analysis of this attack in VisionOne revealed that the threat heavily relied on DLL sideloading, which is a typical\r\nbehavior of PlugX. However, this variant was unique in that it employed several components to perform various functions,\r\nincluding persistence, propagation, and backdoor communication. As a result, we were able to identify and isolate the\r\ndifferent files used by the attacker in their routine.\r\nPersistence and propagation: x32dbg.exe  (with the components x32bridge.dll and\r\nx32bridge.dat)\r\nThe file x32dbg.exe is a legitimate executable of a debugging software which, when executed, imports x32bridge.dll and\r\ncalls on the functions BridgeStart and BridgeInit. The attackers took advantage of this and replaced the DLL with their own,\r\ncontaining the same export functions but executing entirely different codes:\r\nBridgeStart – dummy code that does nothing\r\nBridgeInit – Loads x32bridge.dat, decrypts its contents, then proceeds with the execution of the decrypted code.\r\nhttps://www.trendmicro.com/en_us/research/23/b/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows.html\r\nPage 7 of 10\n\nThe hardcoded key “HELLO_USA_PRISIDENT” is used to decode x32bridge.dat, after which execution will continue on\r\nthe decrypted code.\r\nIt will then check for an event named LKU_Test_0.1 (or creates it if not found). This is followed by the execution of akm.dat\r\nfound in the same folder. \r\nNext, it creates the scheduled task LKUFORYOU_1 to run x32dbg.exe persistently like what was observed in our VisionOne\r\ninvestigation.\r\nIt then enumerates all drives and takes note of removable drives for its propagation routine. When found, it will delete files\r\nfrom any existing RECYCLER.BIN folder before creating a new one. It will copy its components that have the file\r\nextensions .exe, .dll, and .dat to the newly created folder and add a desktop.ini file.\r\nopen on a new tab\r\nFigure 17. Deleting the existing RECYCLER.BIN folder and creating a new one\r\nNext, it will proceed to its installation routine, where it copies all its components to several folders as listed on the\r\nVisionOne analysis.\r\nOnce installed, it will run the file Mediae.exe (same file as x32dbg.exe), which will remain in memory, looping through the\r\naforementioned routines.\r\nMediae.exe also creates the event LKU_Test_0.2, possibly to signal a successful installation.\r\nAs also seen in the VisionOne analysis, the malware checks if it already has an AutoStart registry key (x32dbg), and creates\r\none if there isn’t. Note that the execution path may vary depending on where  x32dbg.exe / Mediae.exe was executed.\r\nNext stage loader: akm.dat\r\nThe file akm.dat is a DLL with a straightforward function — to execute the next phase of the DLL sideloading routine. Its\r\nexport function Start will execute the file AUG.exe (also included in the previous installation from x32dbg.exe).\r\nThe backdoor UDP Shell: AUG.exe (with the components DismCore.dll and Groza_1.dat)\r\nAUG.exe is a copy of DISM.EXE, a legitimate Microsoft file which is also vulnerable to DLL sideloading. It imports the\r\nfunction DllGetClassObject from DismCore.dll, which will decrypt the contents of Groza_1.dat using the hardcoded key\r\n“Hapenexx is very bad”.\r\nThe execution will continue on the decrypted code, which is a UDP Shell client that does the following:\r\nhttps://www.trendmicro.com/en_us/research/23/b/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows.html\r\nPage 8 of 10\n\nCollects host information such as the hostname, IP Address and Mac address and sends it to its command-and-control\r\n(C\u0026C) server 160[.]20[.]147[.]254\r\nCreates a thread to continuously wait for C\u0026C commands\r\nDecrypts C\u0026C communication using the hardcoded key “Happiness is a way station between too much and too\r\nlittle.”\r\nHardcoded Debug Info found in file: C:\\Users\\guss\\Desktop\\Recent Work\\UDP SHELL\\0.7\r\nDLL\\UDPDLL\\Release\\UDPDLL.pdb\r\nConclusion and Recommendations\r\nThe discovery and analysis of the malware attack using the open-source debugger tool x32dbg.exe shows us that DLL side\r\nloading is still used by threat actors today because it is an effective way to circumvent security measures and gain control of\r\na target system. Despite advances in security technology, attackers continue to use this technique since it exploits a\r\nfundamental trust in legitimate applications. This technique will remain viable for attackers to deliver malware and gain\r\naccess to sensitive information as long as systems and applications continue to trust and load dynamic libraries.\r\nThis incident highlights the importance of having a strong and robust cybersecurity system in place, as threat actors continue\r\nto find new ways to exploit vulnerabilities and launch sophisticated attacks. Trend Micro Managed Extended Detection and\r\nResponseservices (MxDR) helps in the prevention of DLL sideloading attacks by taking a comprehensive approach to\r\ndetecting, investigating, and responding to security incidents.\r\nTrend XDRproducts integrates a variety of security technologies, such as endpoint protection, network security, and cloud\r\nsecurity, to provide a comprehensive picture of an organization's security posture. This enables MxDR to detect and prevent\r\nDLL sideloading attacks by detecting and blocking malicious activity at various stages of the attack lifecycle before it can\r\ncause harm. Furthermore, XDR can perform in-depth analysis and investigation of security incidents, allowing organizations\r\nto understand the impact and scope of an attack and respond appropriately.\r\nHere are some recommendations that IT administrators can put into place to prevent DLL side loading attacks:\r\nImplement whitelisting: Allow only known and trusted applications to run on the system while blocking any\r\nsuspicious or unknown ones.\r\nUse signed code: Ensure that all DLLs are signed with a trusted digital signature to ensure their authenticity and\r\nintegrity.\r\nMonitor and control application execution: Monitor and control the execution of applications and their\r\ndependencies, including DLLs, to detect and prevent malicious activities.\r\nEducate end users: Inform users about the dangers of DLL sideloading attacks and encourage them to exercise\r\ncaution when installing or running unfamiliar software.\r\nEndpoint protection: Use endpoint protection solutions that offer behavioral analysis and predictive machine\r\nlearning for better security capabilities\r\nImplement effective incident response plans: Establish a clear and well-defined incident response plan to detect,\r\ncontain, and respond to security incidents as quickly as possible.\r\nIndicators of Compromise\r\nFile name SHA256 Detection name\r\nx32dbg.exe  ec5cf913773459da0fd30bb282fb0144b85717aa6ce660e81a0bad24a2f23e15 Legitimate Windows debugger\r\nx32bridge.dll  0490ceace858ff7949b90ab4acf4867878815d2557089c179c9971b2dd0918b9 Trojan.Win32.KORPLUG.AJ\r\nakm.dat  0e9071714a4af0be1f96cffc3b0e58520b827d9e58297cb0e02d97551eca3799 Trojan.Win32.KORPLUG.AJ\r\nhttps://www.trendmicro.com/en_us/research/23/b/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows.html\r\nPage 9 of 10\n\nx32bridge.dat  e72e49dc1d95efabc2c12c46df373173f2e20dab715caf58b1be9ca41ec0e172 Trojan.Win32.KORPLUG.AJ.en\r\nDismCore.dll b4f1cae6622cd459388294afb418cb0af7a5cb82f367933e57ab8c1fb0a8a8a7 Trojan.Win32.KORPLUG.AJ\r\nGroza_1.dat 553ff37a1eb7e8dc226a83fa143d6aab8a305771bf0cec7b94f4202dcd1f55b2 Trojan.Win32.KORPLUG.AJ.en\r\nIP address / URL Description\r\n160[.]20[.]147[.]254 C\u0026C Server\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/23/b/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows.html\r\nhttps://www.trendmicro.com/en_us/research/23/b/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows.html\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/23/b/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows.html"
	],
	"report_names": [
		"investigating-the-plugx-trojan-disguised-as-a-legitimate-windows.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775439096,
	"ts_updated_at": 1775791295,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e05cd0cb9e0c88b8d43e346a6a3b293f983cf2dd.pdf",
		"text": "https://archive.orkl.eu/e05cd0cb9e0c88b8d43e346a6a3b293f983cf2dd.txt",
		"img": "https://archive.orkl.eu/e05cd0cb9e0c88b8d43e346a6a3b293f983cf2dd.jpg"
	}
}