Sep 27, 2025Ravie LakshmananMalware / Community Safety
Telecommunications and manufacturing sectors in Central and South Asian nations have emerged because the goal of an ongoing marketing campaign distributing a brand new variant of a identified malware referred to as PlugX (aka Korplug or SOGU).
“The brand new variant’s options overlap with each the RainyDay and Turian backdoors, together with abuse of the identical respectable purposes for DLL side-loading, the XOR-RC4-RtlDecompressBuffer algorithm used to encrypt/decrypt payloads and the RC4 keys used,” Cisco Talos researchers Joey Chen and Takahiro Takeda mentioned in an evaluation revealed this week.
The cybersecurity firm famous that the configuration related to the PlugX variant diverges considerably from the standard PlugX configuration format, as an alternative adopting the identical construction utilized in RainyDay, a backdoor related to a China-linked menace actor generally known as Lotus Panda (aka Naikon APT). It is also doubtless tracked by Kaspersky as FoundCore and attributed to a Chinese language-speaking menace group it calls Cycldek.
PlugX is a modular distant entry trojan (RAT) broadly utilized by many China-aligned hacking teams, however most prominently by Mustang Panda (aka BASIN, Bronze President, Camaro Dragon, Earth Preta, HoneyMyte, RedDelta, Crimson Lich, Stately Taurus, TEMP.Hex, and Twill Storm).
Turian (aka Quarian or Whitebird), alternatively, is assessed to be a backdoor solely employed in cyber assaults concentrating on the Center East by one other superior persistent menace (APT) group with ties to China known as BackdoorDiplomacy (aka CloudComputating or Faking Dragon).
The victimology patterns – significantly the give attention to telecommunications firms – and technical malware implementation had yielded proof suggesting doubtless connections between Lotus Panda and BackdoorDiplomacy, elevating the likelihood that both the 2 clusters are one and the identical, or that they’re acquiring their instruments from a standard vendor.
In a single incident detected by the corporate, Naikon is claimed to have focused a telecom agency in Kazakhstan, a rustic that shares its borders with Uzbekistan, which has been beforehand singled out by BackdoorDiplomacy. What’s extra, each hacking crews have been discovered to zero in on South Asian nations.
The assault chains primarily contain abusing a respectable executable related to Cellular Popup Software to sideload a malicious DLL that is then used to decrypt and launch PlugX, RainyDay, and Turian payloads in reminiscence. Latest assault waves orchestrated by the menace actor have closely leaned on PlugX, which makes use of the identical configuration construction as RainyDay and consists of an embedded keylogger plugin.
“Whereas we can’t conclude that there’s a clear connection between Naikon and BackdoorDiplomacy, there are important overlapping elements – resembling the selection of targets, encryption/decryption payload strategies, encryption key reuse and use of instruments supported by the identical vendor,” Talos mentioned. “These similarities recommend a medium confidence hyperlink to a Chinese language-speaking actor on this marketing campaign.”
Mustang Panda’s Bookworm Malware Detailed
The disclosure comes as Palo Alto Networks Unit 42 sheds gentle on the interior workings of the Bookworm malware utilized by the Mustang Panda actor since 2015 to realize intensive management over compromised programs. The superior RAT comes fitted with capabilities to execute arbitrary instructions, add/obtain information, exfiltrate knowledge, and set up persistent entry.
Earlier this March, the cybersecurity vendor mentioned it recognized assaults concentrating on nations affiliated with the Affiliation of Southeast Asian Nations (ASEAN) to distribute the malware.
Bookworm makes use of legitimate-looking domains or compromised infrastructure for C2 functions in order to mix in with regular community visitors. Choose variants of the malware have additionally been discovered to share overlaps with TONESHELL, a identified backdoor related to Mustang Pana since late 2022.
Like PlugX and TONESHELL, assault chains distributing Bookworm depend on DLL side-loading for payload execution, though newer variants have embraced a method that includes packaging shellcode as universally distinctive identifier (UUID) strings, that are then decoded and executed.
“Bookworm is understood for its distinctive modular structure, permitting its core performance to be expanded by loading extra modules immediately from its command-and-control (C2) server,” Unit 42 researcher Kyle Wilhoit mentioned. “This modularity makes static evaluation tougher, because the Chief module depends on different DLLs to offer particular performance.”
“This deployment and adaptation of Bookworm, operating in parallel with different Stately Taurus operations, showcases its long-term position within the actor’s arsenal. It additionally factors to a sustained, long-term dedication to its growth and use by the group.”
