{ "id": "396fa0b0-5757-4176-867e-75c83be302b6", "created_at": "2026-04-06T00:10:55.068938Z", "updated_at": "2026-04-10T03:36:33.923916Z", "deleted_at": null, "sha1_hash": "f5c7aa7fe83d4bbc52389947ff261c70aea13229", "title": "Finding Malware: Detecting SOGU with Google Security Operations.", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 329162, "plain_text": "Finding Malware: Detecting SOGU with Google Security\r\nOperations.\r\nBy Rommel-J\r\nPublished: 2024-06-05 · Archived: 2026-04-06 00:04:15 UTC\r\nWelcome to the Finding Malware Series\r\nIntroducing \"Finding Malware,\" a new blog series from Managed Defense to empower the Google Security\r\nOperations community to detect emerging and persistent malware threats. Our first post dives deep into the SOGU\r\nmalware family and the detection opportunities available within Google SecOps. Happy hunting!\r\nAbout SOGU\r\nAlso known as: PlugX, Korplug\r\nSOGU is a backdoor that supports commands to exfiltrate files, keylogging, remote command shell,\r\nupload/download files, and is able to extend its functionality with additional plugins. The backdoor has existed\r\nsince at least 2008, and is still under continuous development that new variants are constantly being discovered.\r\nSOGU is primarily associated with Advanced Persistent Threat (APT) groups, such as TEMP.Hex, and often used\r\nfor cyber-espionage.\r\nAttack Lifecycle\r\nFigure 1: SOGU Attack Lifecycle\r\nInitial Compromise\r\nSOGU spreads through several methods: infected USB flash drives, targeted phishing emails containing malicious\r\nattachments or links, or compromised software downloads.\r\nEstablish Foothold\r\nhttps://www.googlecloudcommunity.com/gc/Community-Blog/Finding-Malware-Detecting-SOGU-with-Google-Security-Operations/ba-p/758777\r\nPage 1 of 5\n\nThe infection consists of three core files: a legitimate executable, a malicious DLL loader, and an encrypted\r\nSOGU payload. \r\nFigure 2: SOGU components\r\nUpon execution, the legitimate executable loads a malicious DLL via search-order-hijacking. This loader decrypts\r\na shellcode (often disguised as a .dat file), loads it into memory, and executes it. The shellcode is tracked as\r\nSOGU.\r\nThe executable and .dat files can be renamed to any filename, but the DLL filename is usually fixed and resembles\r\na filename of a legitimate DLL, which the executable expects to load. \r\nInternal Reconnaissance and Data Staging\r\nIn some variations of the SOGU malware, a dropped batch file performs host reconnaissance commands. The\r\noutput of these commands is then saved to a file, often named \"c3lzLmluZm8\". This filename, when decoded\r\nfrom Base64, reveals the file's true name: \"sys.info\".\r\ntasklist /v arp -a netstat -ano ipconfig /all systeminfo\r\nAfter host reconnaissance, the malware searches the host for specific file types, including common office\r\ndocuments (e.g., .doc, .docx, .ppt, .pptx, .xls, .xlsx) and PDFs. Upon finding a match, the malware encrypts a copy\r\nof the file using the RC4 algorithm. The original filename is then encoded into Base64, and the encrypted file is\r\nmoved to a designated directory.\r\nC:\\\\Users\\\\\u003cuser\u003e\\\\AppData\\\\Roaming\\\\Intel\\\\\u003cSOGU unique ID\u003e\\\\\u003cfilename in Base64\u003e\r\n\u003cdrive\u003e:\\\\RECYCLER.BIN\\\\\u003cSOGU unique ID\u003e\\\\\u003cfilename in Base64\u003e\r\nThe SOGU unique ID, which also functions as a staging directory, is typically a 16-character identifier consisting\r\nof numbers and uppercase letters.\r\nMove Laterally\r\nSOGU has spreading capabilities, it identifies removable drives on an infected host, and propagates to those\r\ndrives. \r\nhttps://www.googlecloudcommunity.com/gc/Community-Blog/Finding-Malware-Detecting-SOGU-with-Google-Security-Operations/ba-p/758777\r\nPage 2 of 5\n\nThe malware creates the following at the root of the drive:\r\nA new hidden folder with a single space (e.g., \u003cdrive\u003e:\\\\ \\\\)\r\nA new hidden folder called \"RECYCLER.BIN\" or “RECYCLERS.BIN\"\r\nA Windows shortcut cut file named after the drive (e.g., \"My USB Key.lnk\")\r\nMaintain Persistence\r\nSOGU malware was observed utilizing scheduled tasks or registry run keys to maintain persistence on infected\r\nsystems. \r\nIt creates a copy of itself masquerading as a legitimate program and sets the directory's attribute to hidden. It then\r\ncopies its main components into this directory, with the following commonly used file paths:\r\nC:\\\\ProgramData\\\\\u003cfolder name\u003e \r\nC:\\\\Users\\\\Public\\\\\u003cfolder name\u003e\r\n%APPDATA%\\\\\u003cfolder name\u003e\r\nMission Complete\r\nAt the last stage of the attack lifecycle, the malware will exfiltrate any data that has been staged. It is observed\r\nusing various communication channels to connect with its command-and-control (C2) server. This communication\r\ncan occur over HTTP, HTTPS, a custom binary protocol using TCP or UDP, or ICMP.\r\nUpon establishing a connection with the C2 server, SOGU enables an attacker to remotely control the infected\r\nsystem. The range of capabilities at the attacker's disposal includes: file transfer, file execution, remote desktop,\r\nscreenshot capture, reverse shell, and keylogging.\r\nDetection Through Google Security Operations\r\nEnterprise and Enterprise Plus customers will benefit from these detections being applied automatically through\r\ncurated detections. Standard customers can create single or multi-event rules to detect the malware.\r\nThis rule detects the execution of SOGU malware within a known directory.\r\nrule sogu_recycler_bin { meta: author = \"Mandiant\" description = \"This rule matches the process\r\nlaunch event for a binary from the directory RECYCLER.BIN or RECYCLERS.BIN with numerical arguments.\"\r\nmitre_attack_tactic = \"User Execution\" mitre_attack_technique = \"User Execution: Malicious File\"\r\nmitre_attack_url = \"https://attack.mitre.org/techniques/T1204/002/\" mitre_attack_version = \"v14.1\"\r\nseverity = \"High\" priority = \"High\" platform = \"Windows\" type = \"hunt\" events: $e.metadata.event_type\r\n= \"PROCESS_LAUNCH\" and ( re.regex($e.target.process.command_line, `(RECYCLER|RECYCLERS)\\\\.BIN[a-zA-Z0-\r\n9\\\\\\\\]{0,30}\\\\.exe [0-9]{3} [0-9]{2}`) nocase or re.regex($e.principal.process.command_line,\r\n`(RECYCLER|RECYCLERS)\\\\.BIN[a-zA-Z0-9\\\\\\\\]{0,30}\\\\.exe [0-9]{3} [0-9]{2}`) nocase ) condition: $e }\r\nThis rule identifies the preparation of the host information for exfiltration by the SOGU malware.\r\nhttps://www.googlecloudcommunity.com/gc/Community-Blog/Finding-Malware-Detecting-SOGU-with-Google-Security-Operations/ba-p/758777\r\nPage 3 of 5\n\nrule sogu_sys_info { meta: author = \"Mandiant\" description = \"This rule matches on a file event for a\r\nfile with a name c3lzLmluZm8 that base64-decodes to SYS.INFO. This has been observed in SOGU\r\ncompromises, where the file has been observed to contain host-based reconnaissance data staged for\r\nexfiltration.\" mitre_attack_tactic = \"Collection\" mitre_attack_technique = \"Data Staged: Local Data\r\nStaging\" mitre_attack_url = \"https://attack.mitre.org/techniques/T1074/001/\" mitre_attack_version =\r\n\"v14.1\" severity = \"High\" priority = \"High\" platform = \"Windows\" type = \"hunt\" events: (\r\n$e.metadata.event_type = \"FILE_CREATION\" or $e.metadata.event_type = \"FILE_MODIFICATION\" ) and (\r\nre.regex($e.target.file.names, `c3lzLmluZm8`) nocase or re.regex($e.target.file.full_path,\r\n`c3lzLmluZm8`) nocase ) condition: $e }\r\nThis rule identifies the preparation of the stolen data for exfiltration by the SOGU malware.\r\nrule sogu_data_staging { meta: author = \"Mandiant\" description = \"This rule matches on directory and\r\nfilename patterns observed in data staging for exfiltration, as part of a SOGU compromise. The data\r\nstaging directory is typically 16 characters composed of numbers and capital letters, while the\r\nfilenames are base64-encoded legitimate filenames from the affected system.\" mitre_attack_tactic =\r\n\"Collection\" mitre_attack_technique = \"Data Staged: Local Data Staging\" mitre_attack_url =\r\n\"https://attack.mitre.org/techniques/T1074/001/\" mitre_attack_version = \"v14.1\" severity = \"High\"\r\npriority = \"High\" platform = \"Windows\" type = \"hunt\" events: ( $e.metadata.event_type =\r\n\"FILE_CREATION\" or $e.metadata.event_type = \"FILE_MODIFICATION\" ) and ( $e.target.file.size \u003e 0 and\r\nre.regex($e.target.file.full_path, `.`) nocase and re.regex($e.target.file.full_path, `\\\\\\\\[A-Z0-9]\r\n{16}\\\\\\\\[a-zA-Z0-9]{5,}={1,3}$`) ) condition: $e }\r\nBeyond the Blog: Empower Your SecOps with Gemini\r\nIn the ever-changing threat landscape, the ability to respond quickly is key to an effective SecOps. This blog\r\nprovides insights on the SOGU malware, but it's important to remember that malware is constantly evolving and\r\nfinding new ways to bypass defenses. \r\nGemini in Google Security Operations can accelerate our responses by empowering teams to quickly develop new\r\ndetection rules to counter emerging attack techniques. This helps defenses to be always ready to stop attacks and\r\npromptly resolve incidents.\r\nHere's a quick demonstration of how you can easily create a YARA-L rule to detect potential malware\r\ncompromise using Gemini within Google Security Operations. It took just a few seconds to generate this rule, and\r\nnow we simply need to review it for accuracy and effectiveness!\r\nhttps://www.googlecloudcommunity.com/gc/Community-Blog/Finding-Malware-Detecting-SOGU-with-Google-Security-Operations/ba-p/758777\r\nPage 4 of 5\n\nrule\r\nprocess_launch_with_command_line_containing_recycler_bin_or_recyclers_bin_and_exe_with_numerical_argument\r\n{ meta: author = \"Google SecOps Gemini\" description = \"Process launch with command line containing\r\nRECYCLER.BIN or RECYCLERS.BIN and .exe with numerical argument\" severity = \"LOW\" events:\r\n$e.metadata.event_type = \"PROCESS_LAUNCH\" re.regex($e.target.process.command_line,\r\n`RECYCLER\\\\.BIN|RECYCLERS\\\\.BIN`) nocase re.regex($e.target.process.command_line, `\\\\.exe\\\\s+\\\\d+`)\r\nnocase outcome: $process_name = $e.target.process.file.full_path $command_line =\r\n$e.target.process.command_line $user = $e.principal.user.userid condition: $e }\r\nThe rule created by Gemini.\r\nMore information, please check out the documentation on Gemini in Google SecOps!\r\nSource: https://www.googlecloudcommunity.com/gc/Community-Blog/Finding-Malware-Detecting-SOGU-with-Google-Security-Operations/\r\nba-p/758777\r\nhttps://www.googlecloudcommunity.com/gc/Community-Blog/Finding-Malware-Detecting-SOGU-with-Google-Security-Operations/ba-p/758777\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.googlecloudcommunity.com/gc/Community-Blog/Finding-Malware-Detecting-SOGU-with-Google-Security-Operations/ba-p/758777" ], "report_names": [ "758777" ], "threat_actors": [ { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "20b5fa2f-2ef1-4e69-8275-25927a762f72", "created_at": "2025-08-07T02:03:24.573647Z", "updated_at": "2026-04-10T02:00:03.765721Z", "deleted_at": null, "main_name": "BRONZE DUDLEY", "aliases": [ "TA428 ", "Temp.Hex ", "Vicious Panda " ], "source_name": "Secureworks:BRONZE DUDLEY", "tools": [ "NCCTrojan", "PhantomNet", "PoisonIvy", "Royal Road" ], "source_id": "Secureworks", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434255, "ts_updated_at": 1775792193, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f5c7aa7fe83d4bbc52389947ff261c70aea13229.pdf", "text": "https://archive.orkl.eu/f5c7aa7fe83d4bbc52389947ff261c70aea13229.txt", "img": "https://archive.orkl.eu/f5c7aa7fe83d4bbc52389947ff261c70aea13229.jpg" } }