Thursday, January 30, 2025
HomeComputer SecurityPKPLUG -New Research Found Same Chinese Hacking Group Involved with Multiple Cyber...

PKPLUG -New Research Found Same Chinese Hacking Group Involved with Multiple Cyber Attacks Across Asia

Published on

SIEM as a Service

Follow Us on Google News

Researchers linked multiple Cyber-espionage campaigns across Asia to the threat actor group PKPLUG. The group uses its PlugX malware and the number of additional payloads in the campaign.

The group primarily targets Southeast Asia regions such as particularly Myanmar, Taiwan, Vietnam, and Indonesia and other parts of Asia such as Tibet, Xinjiang, and Mongolia.

Based on Unit 42 research the main objectives of attack are to implant backdoors on victims’ systems and mobiles, tracks and gathering information.

“The name comes from the tactic of delivering PlugX malware inside ZIP archive files as part of a DLL side-loading package. The ZIP file format contains the ASCII magic-bytes “PK” in its header, hence PKPLUG.”

Following are the malware used

PKPLUG Attack Timeline

The group found active for more than six years, their first attack dated November 2013, against Mongolia, in the attack the malicious payloads launched via digitally signed legitimated applications.

The second attack in April 2016, that attack uses Poison Ivy malware against targets in Myanmar and other countries in Asia.

PKPLUG
Attack Timeline Credits: Unit 42

The third attack found in July 2016, Spear-phishing campaign contains shorten links hosted on Google Drive. The attack against Myanmar and other Asian countries using 9002 Trojan as a payload.

The fourth attack in March 2017, spear-phishing campaign using GeoCities Japan website to deliver malware, Poison Ivy used as a payload.

The fifth attack named HenBox, poses a legitimate app targets, Turkic ethnic group, the malware distributed through third-party app stores and their goal is to harvest outgoing calls.

The sixth attack in February 2019, targeting the Uyghur population, attackers used Farseer Windows malware. it was distributed through signed binaries.

Maltego image posted by Unit 42, shows that “known malware samples related to PKPLUG, and the chart continues to grow as we discover more about this adversary, ” reads the report.

PKPLUG
Maltego Image Relating the Attacks Credits: Unit 42

The C2 infrastructure used in attacks, domains, and malware used are concerning each other, you can find the PKPLUG Adversary Playbook here.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

10,000 WordPress Websites Hacked to Distributing MacOS and Microsoft Malware

Over 10,000 WordPress websites have been hijacked to deliver malicious software targeting both macOS...

New RDP Exploit Allows Attackers to Take Over Windows and Browser Sessions

Cybersecurity experts have uncovered a new exploit leveraging the widely used Remote Desktop Protocol...

New SMS-Based Phishing Tool ‘DevilTraff’ Enables Mass Cyber Attacks

Cybersecurity experts are sounding the alarm about a new SMS-based phishing tool, Devil-Traff, that...

DeepSeek Database Publicly Exposed Sensitive Information, Secret Keys & Logs

Experts at Wiz Research have identified a publicly exposed ClickHouse database belonging to DeepSeek,...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

10,000 WordPress Websites Hacked to Distributing MacOS and Microsoft Malware

Over 10,000 WordPress websites have been hijacked to deliver malicious software targeting both macOS...

New RDP Exploit Allows Attackers to Take Over Windows and Browser Sessions

Cybersecurity experts have uncovered a new exploit leveraging the widely used Remote Desktop Protocol...

New SMS-Based Phishing Tool ‘DevilTraff’ Enables Mass Cyber Attacks

Cybersecurity experts are sounding the alarm about a new SMS-based phishing tool, Devil-Traff, that...