Security Affairs
Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|
Advertisement

Ad Placeholder

Full Width × 90

APT

6 cyber-espionage campaigns since 2013 attributed to PKPLUG China-linked group

Security experts linked a number of cyber-espionage campaigns observed over the years to the same Chinese threat actor, tracked as PKPLUG. Security experts linked a number of cyber-espionage campaigns observed over the years to the same Chinese threat actor, tracked as PKPLUG. The name comes from the threat actor using PlugX inside ZIP archives containing […]

PKPLUG aPt

Security experts linked a number of cyber-espionage campaigns observed over the years to the same Chinese threat actor, tracked as PKPLUG.

Security experts linked a number of cyber-espionage campaigns observed over the years to the same Chinese threat actor, tracked as PKPLUG. The name comes from the threat actor using PlugX inside ZIP archives containing the ASCII magic bytes “PK” in the header.

“For three years, Unit 42 has tracked a set of cyber espionage attack campaigns across Asia, which used a mix of publicly available and custom malware. Unit 42 created the moniker “PKPLUG” for the threat actor group, or groups, behind these and other documented attacks referenced later in this report.” reads the report published by Palo Alto Networks. “We say group or groups as our current visibility doesn’t allow us to determine with high confidence if this is the work of one group, or more than one group which uses the same tools and has the same tasking.”

Hackers targeted entities in the Southeast Asia region, most of the victims were in Myanmar, Taiwan, Vietnam, and Indonesia. Experts believe the PKPLUG also targeted other countries in Asia, including Tibet, Xinjiang, and Mongolia. 

The China-linked APT group has been active for at least six years, it used both custom-made and publicly available malware.

Researchers at Palo Alto Networks’ Unit 42 reported that some of the tools used in the campaigns were also involved in attacks carried out by other threat actors.

The experts observed the threat actor mainly delivered the PlugX backdoor, but the attackers also used the HenBox Android malware, the Farseer backdoor for Windows, the 9002 and Zupdax trojans, and Poison Ivy RAT.

Below the timeline of the PKPLUG attacks over the years:

PKPLUG aPt

The first campaign associated with the PKPLUG was observed in November 2013, when the group targeted Mongolian individuals with PlugX RAT. In April 2016, researchers from Arbor Network uncovered a campaign aimed at delivering the Poison Ivy to targets in Myanmar and other countries in Asia. A month later, Unit 42 researchers spotted another campaign that targeted entities from Myanmar, the Uyghur minority, Tibet, Vietnam, Indonesia, and Taiwan with the 9002 Trojan.

In March 2017, the Hong Kong-based cybersecurity company VKRL spotted a campaign targeting entities in Mongolia. One year later, on March 2018, Unit 42 experts spotted a campaign involving a new Android malware family named “HenBox.” Hackers targeted primarily the Uyghurs minority.

Early 2019, Unit 42 researchers discovered a previously-unknown Windows backdoor Trojan called Farseer that was used by the threat actors in attacks against targets in Myanmar. Experts noticed overlaps between the infrastructure and the malware used in different campaigns.

“Overlaps between the different campaigns documented, and the malware families used in them, exist both in infrastructure (domain names and IP addresses being reused, sometimes in multiple cases) and in terms of malicious traits (program runtime behaviors or static code characteristics are also where relationships can be found or strengthened).” continues the analysis.

In at least four of the six campaigns, the threat actors used a shared set of IP addresses as command and control (C2) infrastructure.

Researchers also discovered that attackers used the same registrant for various domain names hosted at those addresses.

“Based on what we know and what we’ve gleaned from others’ publications, and through industry sharing, PKPLUG is a threat group, or groups, operating for at least the last six years using several malware families — some more well-known: Poison Ivy, PlugX, and Zupdax; some are less well-known: 9002, HenBox, and Farseer.” concludes the analysis. “Unit 42 has been tracking the adversary for three years and based on public reporting believes with high confidence that it has origins to Chinese nation-state adversaries.”

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – PKPLUG, China)

[adrotate banner=”5″]

[adrotate banner=”13″]