{
	"id": "bc536904-13ce-405a-9a70-76d5a1b424d9",
	"created_at": "2026-04-06T03:37:32.880908Z",
	"updated_at": "2026-04-10T13:13:06.128868Z",
	"deleted_at": null,
	"sha1_hash": "ee9827a979bcb2436545848175d36f4199848234",
	"title": "Trochilus, PlugX RATs in Targeted Attacks on Governments",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 126555,
	"plain_text": "Trochilus, PlugX RATs in Targeted Attacks on Governments\r\nBy Milena Dimitrova\r\nPublished: 2016-01-12 · Archived: 2026-04-06 03:17:31 UTC\r\nNew types of RATs, or remote access Trojans, appear more often than ever before.\r\nSuch Trojans are typically employed in targeted attacks against corporations, organisations and\r\ngovernments. One of the latest RATs, discovered by the Arbor Security Engineering \u0026 Response Team\r\n(ASERT) at Arbor Networks, has started malicious campaigns in South-East Asia. A similar RAT\r\npreviously was detected in an attack against the government of Myanmar. The hacking team behind those\r\nattacks has been identified by Cisco’s Talos Group as Group 27.\r\nLearn More about RATs, Corporate Attacks and Incident Response:\r\nHow Moker RAT Evades Detections\r\nCommon Vulnerabilities and Exposures\r\nExploit Kit Attacks\r\nHow was the attack carried out?\r\nWatering hole attacks were performed on the government’s official websites. As a result, users visiting the pages\r\nto access information on upcoming elections were infected with PlugX – a well-known RAT used in multiple\r\nattacks throughout 2015.\r\nThe fact that the attacks against Myanmar’s government were disclosed hasn’t stopped Group 27. According to\r\nlatest reports by Arbor’s Response Team (ASERT) a new remote access Trojan, associated with the group’s\r\nactivities has been released. During the time of analysis, the new RAT remained undetected by most antivirus\r\nvendors. This proves that this new piece crafted for cyber espionage is quite sophisticated. It has been dubbed\r\nTrochilus.\r\nWhat is specific about Trochilus?\r\nThe latest Group 27’s RAT includes a total of six malware strains, combined in different variations in accordance\r\nwith the data targeted by the criminals.\r\nASERT experts named the whole collection of malware the Seven Pointed Dagger. It consists of:\r\nhttps://sensorstechforum.com/trochilus-plugx-rats-in-targeted-attacks-on-governments/\r\nPage 1 of 3\n\nTwo Trochilus RAT versions;\r\nA version of the 3012 variant of the 9002 RAT;\r\nAn EvilGrab RAT version;\r\nOne unknown piece of malware yet to be identified.\r\nSecurity analysts believe that Group 27 didn’t care much about the fact that their initial cyber espionage campaign\r\nwas detected. Furthermore, the group continued infecting victims via the very same entrance – the Myanmar\r\nElection Commission website.\r\nTrochilus RAT source code uploaded on GitHub\r\nDespite that the RAT was designed to execute in the memory of the machine (thus evading detection by AV\r\nsoftware), ASERT researchers obtained the RAT’s source code and connected it to a GitHub profile of a user\r\nnamed 5loyd.\r\nOn the GitHub page, the RAT has been advertised as a fast and free Windows remote administration tool. Other\r\ndetails include:\r\nWritten in CC+;\r\nSupports various communication protocols;\r\nHas a file manager module, a remote shell, a non-UAC mode;\r\nAble to uninstall itself;\r\nAble to upload information from remote machines;\r\nAble to download an execute files.\r\nResearchers believe that 5loys is not a part of Group 27. More likely, the user’s profile has been hijacked by the\r\ngroup and used for their own purposes.\r\nhttps://sensorstechforum.com/trochilus-plugx-rats-in-targeted-attacks-on-governments/\r\nPage 2 of 3\n\nSpy Hunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to\r\npurchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to\r\nUninstall SpyHunter\r\nMilena Dimitrova\r\nAn inspired writer and content manager who has been with SensorsTechForum since the project started. A\r\nprofessional with 10+ years of experience in creating engaging content. Focused on user privacy and malware\r\ndevelopment, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no\r\nsense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim\r\nMore Posts\r\nFollow Me:\r\nSource: https://sensorstechforum.com/trochilus-plugx-rats-in-targeted-attacks-on-governments/\r\nhttps://sensorstechforum.com/trochilus-plugx-rats-in-targeted-attacks-on-governments/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://sensorstechforum.com/trochilus-plugx-rats-in-targeted-attacks-on-governments/"
	],
	"report_names": [
		"trochilus-plugx-rats-in-targeted-attacks-on-governments"
	],
	"threat_actors": [
		{
			"id": "a3687241-9876-477b-aa13-a7c368ffda58",
			"created_at": "2022-10-25T16:07:24.496902Z",
			"updated_at": "2026-04-10T02:00:05.010744Z",
			"deleted_at": null,
			"main_name": "Hacking Team",
			"aliases": [],
			"source_name": "ETDA:Hacking Team",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "e90c06e4-e3e0-4f46-a3b5-17b84b31da62",
			"created_at": "2023-01-06T13:46:39.018236Z",
			"updated_at": "2026-04-10T02:00:03.183123Z",
			"deleted_at": null,
			"main_name": "Hacking Team",
			"aliases": [],
			"source_name": "MISPGALAXY:Hacking Team",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "699b7efc-322d-489d-818d-823fac028124",
			"created_at": "2023-01-06T13:46:39.404825Z",
			"updated_at": "2026-04-10T02:00:03.315524Z",
			"deleted_at": null,
			"main_name": "APT9",
			"aliases": [
				"NIGHTSHADE PANDA",
				"Red Pegasus",
				"Group 27"
			],
			"source_name": "MISPGALAXY:APT9",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "e79324a2-bdae-4dc5-9421-578a59045288",
			"created_at": "2022-10-25T16:07:23.906087Z",
			"updated_at": "2026-04-10T02:00:04.784657Z",
			"deleted_at": null,
			"main_name": "Nightshade Panda",
			"aliases": [
				"APT 9",
				"FlowerLady",
				"FlowerShow",
				"Group 27",
				"Nightshade Panda",
				"Operation Seven Pointed Dagger"
			],
			"source_name": "ETDA:Nightshade Panda",
			"tools": [
				"3102 RAT",
				"9002 RAT",
				"Agent.dhwf",
				"BKDR_EVILOGE",
				"BKDR_HGDER",
				"BKDR_NVICM",
				"Chymine",
				"Darkmoon",
				"Destroy RAT",
				"DestroyRAT",
				"EvilGrab",
				"EvilGrab RAT",
				"Gen:Trojan.Heur.PT",
				"HOMEUNIX",
				"HidraQ",
				"Homux",
				"Hydraq",
				"Kaba",
				"Korplug",
				"McRAT",
				"MdmBot",
				"MoonWind",
				"MoonWind RAT",
				"PlugX",
				"Poison Ivy",
				"RedDelta",
				"Roarur",
				"SPIVY",
				"Sogu",
				"TIGERPLUG",
				"TVT",
				"Thoper",
				"Trochilus RAT",
				"Vidgrab",
				"Wmonder",
				"Xamtrav",
				"pivy",
				"poisonivy"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775446652,
	"ts_updated_at": 1775826786,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ee9827a979bcb2436545848175d36f4199848234.pdf",
		"text": "https://archive.orkl.eu/ee9827a979bcb2436545848175d36f4199848234.txt",
		"img": "https://archive.orkl.eu/ee9827a979bcb2436545848175d36f4199848234.jpg"
	}
}