How a new PlugX variant abuses DLL search order hijacking

SUMMARY :

A campaign targeting telecommunications and manufacturing sectors in Central and South Asian countries has been discovered, delivering a new PlugX variant. The campaign, active since 2022, shows overlaps with RainyDay and Turian backdoors, including the abuse of legitimate applications for DLL sideloading and shared encryption methods. The new PlugX variant's configuration format resembles that of RainyDay, suggesting attribution to Naikon. Analysis of victimology and technical implementation indicates a potential connection between Naikon and BackdoorDiplomacy, possibly sourcing tools from the same vendor. The malware families use similar infection chains, loaders, and shellcode structures, with shared RC4 keys for payload decryption. This campaign highlights the evolving tactics of Chinese-speaking threat actors and the potential convergence of previously distinct groups.

OPENCTI LABELS :

apt,plugx,dll hijacking,rainyday,telecommunications,manufacturing,chinese apt,backdoordiplomacy,naikon,turian


AI COMMENTARY :

1. Campaign Overview The report titled "[report] How a new PlugX variant abuses DLL search order hijacking" details a targeted operation active since 2022. This campaign focuses on organizations in the telecommunications and manufacturing industries across Central and South Asian countries. The threat actors deliver a fresh iteration of the PlugX backdoor, leveraging native Windows mechanisms to load malicious libraries without raising immediate suspicion. Evidence suggests a sophisticated approach that blends legitimate applications with covert payload execution.

2. Threat Actor Profiles Analysis of the malware families reveals overlaps with known Chinese-speaking APT groups such as RainyDay and Turian. The new PlugX variant’s configuration format closely mirrors that of RainyDay, indicating potential Naikon involvement. At the same time, shared code structures and encryption routines align with BackdoorDiplomacy operations. These connections imply that multiple Chinese APT campaigns may be sourcing toolkits from a common vendor or collaborating on infection chain development.

3. Technical Analysis At the heart of this campaign lies DLL search order hijacking. Attackers abuse legitimate binaries—often trusted telecommunications or manufacturing software—to sideload malicious DLLs. Once loaded, the PlugX backdoor decrypts its payload using RC4 keys identical to those employed by the RainyDay and Turian families. The loaders and shellcode architectures share remarkable similarity, underscoring a converging development effort. The combination of DLL sideloading and shared cryptographic methods allows for stealthy deployment and persistent access.

4. Victimology Insights Victims are predominantly entities in the telecommunications and manufacturing sectors across Central and South Asia. Such organizations often maintain legacy infrastructure and may lack rigorous DLL path validation controls, making them prime targets for search order hijacking. The geographic focus highlights the strategic interest of the threat actors in communications networks and industrial processes, likely aiming to harvest intelligence or disrupt critical services.

5. Overlaps and Attribution The convergence of shared RC4 encryption keys, similar loader frameworks, and a matching configuration schema supports the hypothesis of an underlying link between Naikon and BackdoorDiplomacy. Despite previously being treated as discrete groups, these overlaps suggest either direct collaboration or acquisition of toolkits from the same third-party vendor. This emerging picture of unified tactics challenges defenders to reassess attribution and focus on common technical indicators rather than isolated threat labels.

6. Evolving Tactics and Strategic Implications The campaign exemplifies the evolving playbook of Chinese-speaking APT actors. By refining DLL hijacking techniques and streamlining payload decryption across multiple families, these groups increase operational efficiency and reduce their forensic footprint. The apparent convergence of RainyDay, Turian, PlugX, and BackdoorDiplomacy methodologies signals a maturation of shared development efforts. Security teams must adapt to this fluid threat landscape, anticipating rapid tool reuse and cross-group collaboration.

7. Conclusion Defenders should prioritize monitoring for anomalous DLL loads in high-value applications and enforce strict path validation policies. Integrating threat intelligence on PlugX, RainyDay, Turian, Naikon, and BackdoorDiplomacy can accelerate detection of common indicators. As Chinese APT operators continue to refine their infection chains, a proactive, intelligence-driven defense posture remains essential to safeguard telecommunications and manufacturing environments against advanced DLL hijacking campaigns.


OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


How a new PlugX variant abuses DLL search order hijacking