Ethical Hacking News
A new variant of the notorious PlugX malware has been discovered targeting telecommunications companies in Central and South Asia, highlighting the ongoing threat landscape in the region. This latest iteration of the malware shares similarities with other backdoors associated with China-linked threat actors, emphasizing the need for robust security measures and cooperation between nations to combat these threats.
The new variant of PlugX malware, known as Korplug or SOGU, has been discovered targeting telecommunications companies in Central and South Asia. The malware shares similarities with other backdoors associated with China-linked threat actors, including RainyDay and Turian. The victimology patterns focus on telecommunications companies, particularly those located in countries such as Kazakhstan and Uzbekistan. The deployment of PlugX has significant implications for the security of these networks, including unauthorized access to sensitive data and potential intellectual property theft.
In a recent development that has sent shockwaves through the cybersecurity community, a new variant of the notorious PlugX malware has been discovered targeting telecommunications companies in Central and South Asia. This latest iteration of the malware, which is also known as Korplug or SOGU, has been found to have similarities with other backdoors associated with China-linked threat actors, including RainyDay and Turian.
According to a report by Cisco Talos researchers Joey Chen and Takahiro Takeda, the new variant of PlugX diverges significantly from its usual configuration format, instead adopting the same structure used in RainyDay. This has led some experts to speculate that there may be a connection between Lotus Panda (aka Naikon APT) and BackdoorDiplomacy (aka CloudComputating or Faking Dragon), two advanced persistent threat groups associated with China.
The victimology patterns of the new PlugX variant, which focus on telecommunications companies, are particularly noteworthy. These companies, located in countries such as Kazakhstan and Uzbekistan, have been targeted by both Lotus Panda and BackdoorDiplomacy in the past. The fact that these two groups seem to be targeting the same region suggests a possible connection between them.
In addition to its similarities with RainyDay and Turian, the new PlugX variant also shares some characteristics with Bookworm malware, which has been used by Mustang Panda (aka BASIN, Bronze President, Camaro Dragon, Earth Preta, HoneyMyte, RedDelta, Red Lich, Stately Taurus, TEMP.Hex, and Twill Typhoon) since 2015. Bookworm, like PlugX, utilizes legitimate-looking domains or compromised infrastructure for command-and-control purposes, making it difficult to distinguish from normal network traffic.
The deployment of PlugX in telecommunications companies has significant implications for the security of these networks. The use of malware such as this can lead to a range of issues, including unauthorized access to sensitive data, disruptions to critical systems, and potential intellectual property theft.
In recent months, Palo Alto Networks Unit 42 has shed light on the inner workings of Bookworm, an advanced RAT used by Mustang Panda since 2015. The malware's unique modular architecture allows its core functionality to be expanded by loading additional modules directly from its command-and-control server, making static analysis more challenging.
While the exact nature of the connection between Lotus Panda and BackdoorDiplomacy is still unclear, it is evident that both groups are committed to using sophisticated malware such as PlugX and Bookworm to gain access to sensitive networks. The use of these tools by threat actors highlights the need for robust security measures, including regular software updates, patching of vulnerabilities, and implementation of multi-factor authentication.
The resurfacing of PlugX despite previous retirement claims is a stark reminder that cybersecurity threats are constantly evolving. As threat actors adapt and evolve their tactics, it is essential for organizations to stay vigilant and take proactive steps to protect themselves against these emerging threats.
In conclusion, the recent discovery of a new variant of PlugX targeting Asian telecom and ASEAN networks highlights the ongoing threat landscape in the region. The similarities between this malware and other backdoors associated with China-linked threat actors emphasize the need for robust security measures and cooperation between nations to combat these threats.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Resurgence-of-PlugX-A-New-Variant-of-Malware-Targeting-Asian-Telecom-and-ASEAN-Networks-ehn.shtml
https://thehackernews.com/2025/09/china-linked-plugx-and-bookworm-malware.html
Published: Sat Sep 27 07:53:01 2025 by llama3.2 3B Q4_K_M
