Chinese Hackers Deploy New PlugX Variant

A remote access Trojan that’s a staple of Chinese nation-state hacking is part of an ongoing campaign targeting telecom and manufacturing sectors in Central and South Asian countries.

See Also: OnDemand | North Korea’s Secret IT Army and How to Combat It

Researchers at threat intel firm Cisco Talos attribute with medium confidence the campaign to a unit of the People’s Liberation Army based in Chinese hacking hotspot Chengdu (see: Sophos Discloses Half Decade of Sustained Chinese Attack).

The threat actor, tracked as Naikon, apparently has access to a new variant of PlugX malware in a novel configuration suggesting it likely has access to the original source code of PlugX, wrote researchers.

The campaign has been active since 2022. PlugX malware has been in circulation since 2008 and has featured in a slew of notable hacks, including against the U.S. Office of Personnel Management in 2015 and against European diplomatic agencies in 2022. It’s been in circulation for so long that some Chinese cybercriminal groups also deploy it. U.S. federal law enforcement in January announced the deletion of more than 4,000 instances of PlugX from computers based in the United States (see: FBI Deletes More Than 4,000 PlugX Malware Instances).

Cisco Talos researchers linked the campaign to Naikon based on similarities between its PlugX configuration, targeting patterns and two other backdoors, RainyDay and Turian, deployed by another Chinese cyberespionage hacking group tracked as BackdoorDiplomacy. “There are consistent targeting patterns observed in campaigns Naikon and BackdoorDiplomacy conducted, with similar countries and industries affected by these campaigns, which could indicate a possible connection,” Talos researchers wrote.

Both groups focus on telecom, with threat activity attributable to Naikon occurring in Kazakhstan. Neighboring Uzbekistan has been the site of BackdoorDiplomacy attacks. “Additionally, both Naikon and BackdoorDiplomacy have been observed targeting South Asian countries.”

The PlugX variant, RainyDay and Turian loaders, and shellcode structure show significant similarities, including the same RC4 keys and the same algorithm for decrypting malware payloads. All three malware families execute through DLL search order hijacking. The threat actors abuse a legitimate mobile popup application from Quick Heal Technologies to load malicious code into memory.

The three backdoors employ anti-analysis techniques, including control flow flattening and API hashing.

Technical analysis revealed embedded key logger functionality in all examined PlugX backdoor payloads. Talos observed timestamps indicating active key logger file generation throughout 2022, with logs indicating that one victim had been compromised from late 2022 through December 2024.

It’s possible that Naikon threat actors have a connection with BackdoorDiplomacy hackers – or that they are sourcing their tools from the same vendor, Talos wrote.

China relies on an unusual set of military and civilian hackers for cyberespionage that include the sizeable number of private sector contractors. A study published in July posited that one reason for the recurrent tools and techniques seen in Chinese hacking is an influential cadre of hackers who emerged from the “patriotic hacking” scene of the late 1990s and early 2000s and who went on to found many of the private sector firms that supply hacking services to Beijing (see: Chinese Hackers’ Evolution From Vandals to Strategists).